IETF Logo Mail Archive

Re: [OAUTH-WG] Lifetime of refresh token

Donghwan Kim <flowersinthesand@gmail.com> Fri, 28 August 2015 14:21 UTC

Return-Path: <flowersinthesand@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C5981B2B13 for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2015 07:21:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sCgoUBd1iXLK for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2015 07:21:42 -0700 (PDT)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD7271B2AF5 for <oauth@ietf.org>; Fri, 28 Aug 2015 07:21:41 -0700 (PDT)
Received: by igbuu8 with SMTP id uu8so8479054igb.0 for <oauth@ietf.org>; Fri, 28 Aug 2015 07:21:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JZO2+b/4QuIbqdi2Uzc+xNbhwsQlXDh4xrpuA6Mb7sk=; b=LbDO8qXcwvj1YyYLAx7TQ9EI6h4tFZ7ydDEGqevGr/gYr3LrGwxGIRzzEKCssMestE ndbcBuFkoadrGGmI2QOP3043mA5sspJwkAGqBrzQbmm5YRe4HThI9YgUX4SeyBOcwd4m C2cKpzxs5Q1DDyMlrXQ3wbeeqHhlgin6re9FABQnQHTjGlo5CaQrNVQsMLX8t+kYBcSY zSUqFOrOOKu4YoKTF7DxLVBrg7jNLODPAKJalb74qkyXsLGXAyz/w+FUpTD5NCQnn/VE 8zJmj0aLmRDmDvQMss4KIB64i1TdOwUyr/r4v/FSHCeUKgU32zwaEgSuWeVe7S5BAG9z eARg==
MIME-Version: 1.0
X-Received: by 10.50.26.66 with SMTP id j2mr3417908igg.42.1440771701295; Fri, 28 Aug 2015 07:21:41 -0700 (PDT)
Received: by 10.36.137.136 with HTTP; Fri, 28 Aug 2015 07:21:41 -0700 (PDT)
In-Reply-To: <C44C21E6-2559-4099-8B21-3544DE8965BD@lodderstedt.net>
References: <CAMbDefvdNNLHSMZEXDDOhukzha8G0WLb9j7f6qVXTrXaGCQxTQ@mail.gmail.com> <DE1DE335-FBEF-494A-97F0-BE0F9D4BABAA@ve7jtb.com> <C44C21E6-2559-4099-8B21-3544DE8965BD@lodderstedt.net>
Date: Fri, 28 Aug 2015 23:21:41 +0900
Message-ID: <CAMbDefsu0XAQvCR2+ako4PbsoKeezLwgizJ4dVsKMAY_DXM_wA@mail.gmail.com>
From: Donghwan Kim <flowersinthesand@gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/alternative; boundary="047d7bd75bb27551d7051e5fcd05"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/lf0atYWt_JUJ03P8jSqMcToe6Zw>
X-Mailman-Approved-At: Fri, 28 Aug 2015 08:08:17 -0700
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Lifetime of refresh token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2015 14:21:44 -0000

I'm sorry to introduce a common topic.

As John has suggested, I'm going to design that

* An access token should be short lived e.g. 5 minutes (not to hit the AS
to verify the token or 1 hour (to hit the AS to verify the token). I'm
inclined to 5 minutes for stateless architecture of RSs.
* A refresh token should have 1 month of expiration time by default. If it
turns out that some access token expired, its refresh token should refresh
the token. Then, so called persistent login can be implemented regardless
of the form of authentication. Only if it fails for some reason e.g. token
revocation or inactivity for 1 month, a user is logged out automatically
and should log in again.
* A refresh token should be able to be revoked somehow. With 5 minutes
approach, it will invalidate only the refresh token (Yes the attacker can
have 5 minutes at most), and with 1 hour approach, it will invalidate the
refresh token as well as the corresponding access token.

Thanks,

-- Donghwan

On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt <
torsten@lodderstedt.net> wrote:

> Refresh tokens are also used by public clients, e.g. native apps. OIDC
> allows to acquire a new id token from a refresh token as well. Note: this
> does not mean a fresh authentication but a refreshed id token containing
> the data of the original authentication transaction.
>
> Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley <ve7jtb@ve7jtb.com
> >:
>>
>> I think Nat’s diagram about the problems of doing pseudo authentication
>> with OAuth is being taken out of context.
>>
>> The refresh token dosen’t expire, it is revoked by the user or system.
>> In some cases refresh tokens are automatically revoked if the users session
>> to the AS ends.  I think AOL typically revokes refresh tokens when sessions
>> terminate.
>>
>> OpenID Connect provides a separate id_token with a independent lifetime
>> from the refresh token.  A client may keep a refresh token for a much
>> longer time than the user has a login session with the AS.
>>
>> Refresh tokens are typically used by confidential clients that are using
>> a client secret in combination with the refresh token for getting a new
>> access token.
>>
>> By design access tokens should be short lived as the AS is expected to
>> have a way of revoking refresh tokens but not access tokens.
>> A access token that dosen't expire , and can’t be revoked is not a good
>> idea.
>>
>> John B.
>>
>>
>> On Aug 24, 2015, at 2:41 AM, Donghwan Kim <flowersinthesand@gmail.com>
>> wrote:
>>
>> Hi,
>>
>> According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5,
>> refresh token can be used to refresh an expired access token without
>> requesting resource owner to sign in again (uncomfortable experience).
>> However, if it's true, isn't it that refresh token might be used to request
>> a new access token even years later? and then isn't refresh token the same
>> with access token which never expires?
>>
>> I intended to use refresh token to implement persistent login by sending
>> a refresh request before issued access token expires (expires_in runs out).
>> But if refresh token works even if access token expired already, sending a
>> refresh request on application start up would be enough.
>>
>> So I'm not sure what I'm missing about refresh token as well as how to
>> implement persistent login using it (you can regard authentication here
>> pseudo-authentication illustrated in
>> https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg).
>> What is the lifetime of refresh token?
>>
>> Thanks,
>>
>> -- Donghwan
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> ------------------------------
>>
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>

v2.23.0 | Report a Bug | By Email