Re: [OAUTH-WG] refresh tokens and client instances

John Bradley <ve7jtb@ve7jtb.com> Mon, 07 July 2014 21:46 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A32EF1B2962 for <oauth@ietfa.amsl.com>; Mon, 7 Jul 2014 14:46:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tak8u6p-GZmW for <oauth@ietfa.amsl.com>; Mon, 7 Jul 2014 14:46:39 -0700 (PDT)
Received: from mail-qc0-f174.google.com (mail-qc0-f174.google.com [209.85.216.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 198361B2955 for <oauth@ietf.org>; Mon, 7 Jul 2014 14:46:39 -0700 (PDT)
Received: by mail-qc0-f174.google.com with SMTP id x13so4319853qcv.5 for <oauth@ietf.org>; Mon, 07 Jul 2014 14:46:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=+XofD0VPWCvnDPaoaPtCnMlB9yCP/NovKElMaiYwQz4=; b=ZlJMqy9yl8nCNWUVbROIjR17iB36DdPTmmHwguQR73pXk/g3/v1s4FG7oJ6QlgHd7u vgEx4cInGw6WtKQRwC7JUXxLcAt8jP6SlfA9IACNhsW3NN57lEdNzzBs4bHsAFcxKbC3 b0vembbfvl9docAUdsNEIjvZe0zmvO0luaRobQYH0cxRLK1tWHRR7aKX+jnrDkK0O3zZ zUDlnLYtGQT8NJ9B3bB5lCvK9x3OlZ2rAiWLyCSIyhCSfQQjZAZ1Orzyc5GYw0q7v1bv OQIzcknvNCh7Ivj2JwmxVmdxgMcXNPj/i3F4Tr/aHnlNmgAVjNr0v+EVVI9gf51TpCv0 8pyw==
X-Gm-Message-State: ALoCoQllyaNYSAQ4LNYaaggU6U5W6BJTzWkm+Np4EtN7G1io9GqLX2NbeXAh/2X0ld78fPdnYOnV
X-Received: by 10.140.107.3 with SMTP id g3mr50309698qgf.100.1404769598286; Mon, 07 Jul 2014 14:46:38 -0700 (PDT)
Received: from [192.168.0.200] ([201.188.84.221]) by mx.google.com with ESMTPSA id i10sm75759811qaq.22.2014.07.07.14.46.35 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 07 Jul 2014 14:46:37 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <014901cf9a28$e232c0a0$a69841e0$%nakhjiri@samsung.com>
Date: Mon, 07 Jul 2014 17:46:33 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <005C1FD3-2F7E-45C0-BD99-9CC439E81211@ve7jtb.com>
References: <007a01cf90d2$7bdda950$7398fbf0$%nakhjiri@samsung.com> <0BA8278C-6856-4C9F-96C7-C5752F3F1E09@ve7jtb.com> <002201cf922c$9ec65c90$dc5315b0$%nakhjiri@samsung.com> <EF0302C0-8077-408D-B82B-35FEAFD3C263@ve7jtb.com> <53B53F7C.506@gmail.com> <1404402057.15252.YahooMailNeo@web142801.mail.bf1.yahoo.com> <53B584BA.6090901@gmail.com> <014901cf9a28$e232c0a0$a69841e0$%nakhjiri@samsung.com>
To: Madjid Nakhjiri <m.nakhjiri@samsung.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/lW45apynuUrV_rEbVs0dtWbVlBo
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] refresh tokens and client instances
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jul 2014 21:46:42 -0000

The client always needs a client_id.  

After the user authorizes the client the AS creates a code (there are lots of ways to do it, a database entry works for most people), and returns it to the client.

The client instance by possession  of that code is differentiated from other instances of that client in it's requests to the token endpoint by having a unique code or refresh_token.
That code and refresh token have grants associated with them for the user.

The user doesn't enter the code it is returned to the client in a query parameter appended to the redirect_uri.

The code is exchanged for a access token and optionally a refresh token,  after the access token expires the client can use the refresh token to get another access token. 
If the client doesn't have a refresh token it needs to go through authorization again.

John B.

On Jul 7, 2014, at 5:17 PM, Madjid Nakhjiri <m.nakhjiri@samsung.com> wrote:

> Hi Sergey,
> 
> Thanks for capturing the question. Yes, the issue was how we distinguish between different instances of client, all using the same client ID. >From answers I have gotten so far, it seems that the uniqueness of the instance may be provided through the uniqueness of a code grant. However, I have not figure out what the spec says on how to create the grant and how the grant code is unique to authorization server. If anybody could point me to that part of spec, I would appreciate it (I did not find it). 
> 
> Your description of "a user authorizes a given device and gets a grant code and enters it into device securely we have a client instance..." would require a device identifier, otherwise how does the fact that the client is on a different device identifies that instance as a unique instance?
> 
> I need to look at the spec for refresh versus access tokens. Do you need different grant code types for each type of token?
> 
> Thanks,
> Madjid
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Sergey Beryozkin
> Sent: Thursday, July 03, 2014 9:29 AM
> To: Bill Mills; oauth@ietf.org
> Subject: Re: [OAUTH-WG] refresh tokens and client instances
> 
> Hi
> On 03/07/14 16:40, Bill Mills wrote:
>> Implementations may/SHOULD bind refresh tokens to specific client 
>> instances.  Yes, it's possible that the client ID with dynamic 
>> registration is unique to each client, but many of the token theft use 
>> cases include the possibility of stealing the client ID too if you 
>> know you need to.
>> 
> What exactly is a 'client instance' when we talk about having a single client id registration, with the id shared between multiple devices (which is what I believe this thread started from).
> 
> What I understood, as far as the authorization service is concerned, a 'client instance' for AS is a combination of a client id + code grant.
> 
> + (optional) refresh token (as was mentioned earlier). But it appears to
> me a client instance can be uniquely identified by two values only without a refresh token.
> 
> When a user authorizes a given device and gets a grant code and enters it into the device securely we have a 'client instance' ready to get the tokens, with that device (client instance) using a client id and the grant code to get an access token and a refresh token.
> 
> Lets say it sends a "client_id=1&code=2" sequence to get the tokens.
> A client id + a code value constitutes a client instance, because a code would be unique per every authorization, right ?
> 
> So the service will return an access token + refresh token to the device. Refresh Token could've been associated with a record containing a client id + grant code info earlier or at the moment the code is exchanged for an access token.
> 
> During the subsequent refresh token grant request we have "client id + refresh token" as a client instance.
> 
> I'm not sure what exactly I'd like to ask here :-), but I wonder if the above sounds right, then I guess I'd like to conclude that when we talk about the authorization code grant then a refresh token is not the only key that uniquely identifies a client instance:
> 
> Initially it is a client id + code grant, a refresh token does not offer an extra uniqueness at the point of the client device requesting an access token with a code. Refresh token only starts acting as the key client instance identifier at a refresh token grant time.
> 
> Sorry for a long email, I'm very likely missing something, so any clarifications will be welcome
> 
> Thanks, Sergey
> 
> 
> 
> 
> 
> 
> 
>> -bill
>> 
>> 
>> On Thursday, July 3, 2014 4:33 AM, Sergey Beryozkin 
>> <sberyozkin@gmail.com> wrote:
>> 
>> 
>> Hi
>> 
>> I'm finding the answers from John interesting but I'm failing to 
>> understand why refresh tokens are mentioned in scope of identifying 
>> the specific client instances.
>> 
>> AFAIK refresh tokens would only go on the wire, assuming they are 
>> supported, when a client exchanges a grant for a new access token.
>> And when the client uses a refresh token grant.
>> 
>> Was it really about a refresh token grant where the incoming client id 
>> and refresh token pair can uniquely identify the actual client 
>> instance ? That would make sense.
>> 
>> Something else I'd like to clarify.
>> John mentions a refresh token is created at the authorization grant 
>> initialization time. Would it make any difference, as far as the 
>> security properties of a grant are concerned, if refresh token was 
>> only created at a grant to access token exchange point of time ?
>> 
>> Thanks, Sergey
>> 
>> On 27/06/14 19:21, John Bradley wrote:
>>> Inline
>>> 
>>> On Jun 27, 2014, at 1:24 PM, Madjid Nakhjiri 
>> <m.nakhjiri@samsung.com <mailto:m.nakhjiri@samsung.com>  > 
>> <mailto:m.nakhjiri@samsung.com <mailto:m.nakhjiri@samsung.com>>> wrote:
>>> 
>>>> Hi John,
>>>> Thank you for your reply. Would appreciate if you consider my 
>> inline  >> comments below and respond again!
>>>> R,
>>>> Madjid
>>>> *From:*John Bradley [mailto:ve7jtb@ve7jtb.com 
>> <mailto:ve7jtb@ve7jtb.com>]  >> *Sent:*Wednesday, June 25, 2014 5:56 
>> PM  >> *To:*Madjid Nakhjiri  >> *Cc:*oauth@ietf.org 
>> <mailto:oauth@ietf.org> <mailto:oauth@ietf.org 
>> <mailto:oauth@ietf.org>>  >> *Subject:*Re: [OAUTH-WG] refresh tokens 
>> and client instances  >> In 3.3 It is saying that the refresh token is 
>> a secret that the  >> Authorization server has bound to the client_id, 
>> that the  >> Authorization server effectively uses to differentiate 
>> between  >> instances of that client_id.
>>>> Madjid>>If I have 10,000s of devices, each with an instance of the  
>>>> OAUTH client, but they are all using the same client ID, how would 
>> the  >> server know which token to use for what client? unless when I 
>> am  >> creating a token, I also include something that uniquely 
>> identifies  >> each instance? Don’t I have to use SOMETHING that is 
>> unique to that  >> instance (user grant/ID?)?
>>> When the grant is issued you create and store a refresh token which 
>> is  > effectively the identifier for that instance/grant combination.
>>> When it comes back on a request to the token endpoint you look up 
>> the  > grants associated with it.  You also hack that the client_id 
>> sent in  > the request matches to detect errors mostly)  >  >> When 
>> the refresh token is generated, it can be stored in a table with  >> 
>> the client_id and the information about the grant.  You could also do  
>>>> it statelesly by creating a signed object as the refresh token.
>>>> Madjid>>agreed, but for the signed object to be self-sustained, 
>> again  >> would I not need something beyond a “population” client_ID? 
>> Are we  >> prescriptive what “information about the grant” is?
>>> You would be creating a bearer token as long as the AS signs it you 
>> can  > put whatever grant grant info you like in it, that is 
>> implementation  > specific.  It  could be a list of the scopes granted and the subject.
>>>> The spec is silent on the exact programming method that the  >> 
>> Authorization server uses.
>>>> Madjid>>Are there any other specs in IETF or elsewhere (OASIS, 
>> etc?)  >> that prescribe token calculation (e.g. hash function, parameters, etc)?
>>> 
>>> You can look at JOSE and JWT for a way to create tokens  > 
>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token
>>>> In 3.7 Deployment independent describes using the same client_id  
>>>> across multiple instances of a native client, or multiple instances 
>> of  >> a Java Script client running in a browsers with the same callback uri.
>>>> Since the publishing of this RFC we have also developed a spec for  
>>>> dynamic client registration so it is possible to give every native  
>>>> client it's own client_id and secret making them confidential clients.
>>>> Madjid>>I would need to look at those specs, however, I thought 
>> that  >> the “confidential client” designation has to do with the 
>> client  >> ability to hold secrets and perform a-by-server-acceptable  
>>>> authentication. Does dynamic client registration affect client’s  
>>>> ability in that aspect?
>>> 
>>> Yes it doesn't require the secret to be in the downloaded instance 
>> of  > the native app.  It can be populated at first run, changing it 
>> from  > public to confidential.
>>> Confidential is not just for web servers any more.
>>>> There is also a middle ground some people take by doing a proof of  
>>>> possession for code in native applications to prevent the 
>> interception  >> of responses to the client by malicious applications on the device.
>>>> https://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse/
>>>> John B.
>>>> On Jun 25, 2014, at 8:06 PM, Madjid Nakhjiri 
>> <m.nakhjiri@samsung.com <mailto:m.nakhjiri@samsung.com>  >> 
>> <mailto:m.nakhjiri@samsung.com <mailto:m.nakhjiri@samsung.com>>> wrote:
>>>> 
>>>> 
>>>> Hi all,
>>>> I am new to OAUTH list and OAUTH, so apologies if this is very 
>> off-topic.
>>>> I am evaluating an OAUTH 2.0 implementation that is done based on 
>> bare  >> bone base OAUTH2.0 RFC. From what I understand, many (or 
>> some) client  >> implementations use a “global ID/secret” pair for all 
>> instances of the  >> client.  Looking at RFC 6819 and there seem to be 
>> a whole page on this  >> topic, if I understand it correctly. So questions:
>>>> 1)Section 3.7 talks about deployment-independent versus deployment  
>>>> specific client IDs. I am guessing “deployment-independent” refers 
>> to  >> what I called “global”, meaning if I have the same client with 
>> the  >> same client ID installed in many end devices, that is a 
>> deployment  >> independent case, correct?
>>>> 2)Section 3.3 on refresh token mentions that the token is secret 
>> bound  >> to the client ID and client instance. Could somebody please 
>> point me  >> to where the token generation and binding is described? 
>> Also how is  >> the client instance is identified?
>>>> Thanks a lot in advance,
>>>> Madjid Nakhjiri
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org 
>> <mailto:OAuth@ietf.org>>  >> 
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>  > 
>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org> 
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth