IETF Logo Mail Archive

Re: [OAUTH-WG] Certificate-bound refresh tokens and certificate expiration handling in case of the confidential clients

Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de> Fri, 19 August 2022 13:37 UTC

Return-Path: <karsten.meyerzuselhausen@hackmanit.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08904C14CE31 for <oauth@ietfa.amsl.com>; Fri, 19 Aug 2022 06:37:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hackmanit.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fbF8gic-Y2nO for <oauth@ietfa.amsl.com>; Fri, 19 Aug 2022 06:37:12 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 843CAC14F734 for <oauth@ietf.org>; Fri, 19 Aug 2022 06:37:12 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id a22so5690863edj.5 for <oauth@ietf.org>; Fri, 19 Aug 2022 06:37:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hackmanit.de; s=google; h=in-reply-to:subject:autocrypt:from:references:cc:to :content-language:user-agent:mime-version:date:message-id:from:to:cc; bh=eRhpuOb94k7bE5SsF0ZNg+xQfeWIxznEuYQ2J9QTitY=; b=iHpPEE96ps7E0PUIMNSoHCvGNhF5ngAoIjWms1iWyrBsfHgI+Av5k+y+0aifyoEuKC yi/5Tp/+4eUmlaV6HnzqVnpCdXZJdfiIA2tteQQDzcEh1rRZxkY6FWvNzz+KdOrt/6GN rPnTxfperuUHh+4c+0MPnWvYu+Cwsd4T/pnQQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:subject:autocrypt:from:references:cc:to :content-language:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc; bh=eRhpuOb94k7bE5SsF0ZNg+xQfeWIxznEuYQ2J9QTitY=; b=z+uFGEbMPOn2hG3Wyqy1fIZ14rjDGH7tM0mS6OkUiNTtIYF1ebSumviU69yHMJ+zT5 ztI1K2+aaEBz3nvBHtISJzacKQjCsY+o+U0GNrHncNYKobRXtRE6HIwd6w9DgLZ0tSbs pDFSR8VC1nXB14k8kXt+iY9D+/Q9JIjaKdipgF4opKbCYpPnaId+gVOy8H5GORVs0SM+ JQB/XvRLp7VEIybVMqXgc6BAmq8ZOQaWHBHMqVouZnrof5TflVLmrCiDW5XtTDaRc7fX +g96fSElcZfu1YUbIOv2ASpmdsx1wSYWWBE3PRY2KnXlf+uiY7gDuEbkVp1JS74aSK6C uiSg==
X-Gm-Message-State: ACgBeo1dF1cVbmpUAruyR54YS7H/GLPqghZOrWh9ICOofRoIuEgizJRF gLbpJ4s3g3GB64ARI9gcRtGyCTSUBee4IQ==
X-Google-Smtp-Source: AA6agR7esPIOO43OC4lb/XPWOSyhp6j/Yk7WaCE/gPBcd0t5s6h9dIv4qjYhI7qKkD/JiZ6KmSvIxg==
X-Received: by 2002:a05:6402:100c:b0:43d:9009:c705 with SMTP id c12-20020a056402100c00b0043d9009c705mr6017202edu.49.1660916230011; Fri, 19 Aug 2022 06:37:10 -0700 (PDT)
Received: from [192.168.137.41] (ip-037-024-087-133.um08.pools.vodafone-ip.de. [37.24.87.133]) by smtp.gmail.com with ESMTPSA id q22-20020a1709064cd600b007306d478c62sm2349933ejt.62.2022.08.19.06.37.08 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 19 Aug 2022 06:37:09 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------Jh94raSfMNfB0EAC1kFEiwPQ"
Message-ID: <49c224f2-13a1-6580-51a4-5f2f1c28ba39@hackmanit.de>
Date: Fri, 19 Aug 2022 15:37:07 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.1.2
Content-Language: en-US
To: Jaimandeep Singh <jaimandeep.phdcs21=40nfsu.ac.in@dmarc.ietf.org>, mikheil@association.ge
Cc: oauth@ietf.org
References: <006c01d8ad93$776364f0$662a2ed0$@association.ge> <007201d8ad94$710026b0$53007410$@association.ge> <CA+k3eCSzUaNiO=NpqT5284+JQK=fDK_uGP_QuD65M_J5oWdWzA@mail.gmail.com> <00c001d8adae$5f33ba90$1d9b2fb0$@association.ge> <CAODMz5HZESoLP+ZfhgwLOmFWHo13AanrfchTBMubVU55CDSROg@mail.gmail.com>
From: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
Autocrypt: addr=karsten.meyerzuselhausen@hackmanit.de; keydata= xsFNBFh1IBMBEADV73c10lB7zeFy6/ezLFzOBp8z6Zy1zUyIrf6RoBk1GQWREcGEGeaL90Pj F5plZeASVJdsEYnYXdgcIPE0tlBq6al6OYoWtH/VbFPWEPLVhA3rL1iXVJveD3J40OzSYP8N G7bla3zQ2+TXOB3iDPPsHZUdHCLASkIIWQK6+fE1C2epAdPtnsLsb++1d080jfXXwgyUUh4y bimcy9Jg5oZ4QMwnSq3Y+x38PNb+nTgjDi1X/89/WsNd7Bdh4Zvw3CAuc/W58CFaDjb7liUD YRoAp6ysnjPKEUSnAnMpgaiXJc1gFoL+ahdKJ3D9XTn28NTjUrvOkVidsuKbyxnXP9I6BO6i 2jzjrH6TEAfIYMjZlYTyPZTt271SW5iAHYwvPZWlqQTBT2P/d4gHl0To5b4e+UXxjQgxqUyi QIcxh3Ris21Kx4lKQKDXYWiwNTZzx8AdqrcxCWfK+MRpFyk0B+4uDMm7Apm5ZWwDKN/JnVsJ yokkkrrHs/elRCUGtN9NyhJQf3VnE87862Pej8PVvQJr3uVnoNX2yieTvJZftIOBG1b9ta6Z BcYyn3un1rSn7lBPg+RSnPemposVorQpjGwT+Dhg13Bpv5q0JfSc//js/nB6A4iq5YssdtQ7 35QBWLLaF1oCxalvrQVDD4Sh06eAUQsga9xeE0yv7sxqdsozdwARAQABzUJLYXJzdGVuIE1l eWVyIHp1IFNlbGhhdXNlbiA8a2Fyc3Rlbi5tZXllcnp1c2VsaGF1c2VuQGhhY2ttYW5pdC5k ZT7CwX8EEwEIACkFAl/4WSsCGyMFCQ+L3RcHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAK CRBFNcDn2xbxSKWlD/9BVhp53BFytM1EQ17x1TB76zFygZA33KZeQIWLkw/M8yWkuzgGTFJ8 Lx+kmC3xnk4WG6nIv4paU4y+K2+WlAQg3FR0CN0oHgb6gOSHu9ISDMdZm8Kzmie2hKSOG8wA 56oVhRYXElt3Oe22usywpcfCf8C1t0SjHkufUWgVFspaplKsEN6NwdSBLxQ0gzfEkl3RTfLV JEopw5MlLzKxM1EAbL0QZdORX6cIJI96BecnXA0fwlV2PmM+TSPUDzBFOneZBOdtgCduKVhG bVRDOtJ4LIEQFT7ZvlzYEaWueh8HNC6Y8wZKRaZ4cg8mXJuz+BizA8EEicubkqljKNlTuHB4 0l3R30m4w202U3XNDKmCsLGUVLfNet4mM3wLIw5sr9GUuDvz0+8J9eaAypqgU9NKfUHpecHC /AULjk7TK9hKq2o2mQCRiOOt4Ki6yeC068nQrE97eCS7/YikVHA7TXTchG82x4eqRpgyBonk uRwnuU3sGAty1+D1ehDFzTvGfh9GS8tncKgyAtj9acUIhYDW6yWesSX6B4OenXKnJhjbskAZ LFVegXWAPf1YT3ImCLBnhn8g7ZHwB/icyMaWCXURsO63beRhvAFjXNxKcL6f7gg8uW9z3GhR +Kcz2DRAWO6Xo8MBbed+Nc9z01jSNQBQa5SPnJaeBtfiUY+ZbmHfLs7BTQRYdSATARAAsp2V mr3N7iNND8+M/OyA/OwcDQ6utZh+m4TnKsOVdiNLGpu2U3/2Qg3yrbjic2dWx1CsS6VH2/oO 1e/a4FlxA93wFv/OZjiUjHtEvdIJeHWlCvWOUlMsqyGDc3Q75fNjFw6DGKkiOu9lZaBs6naS BmkvAMGjV5bNKLyIL5j7Im1pCdZ2lCjD7eVwR3RQQKobTmu916htX8g1cB9yFmquu37X+ZBl A4GLJi63Kw0L2r8i8iO1NqDLOfT8IeNkOroEm3SDAuEApGAubKLSPBJ1khQ7kDhpdfzSYKUF tiIHpGWVOImDjqf4JIcF7OIdRPQfFPlwoPnsyBAS8znQJvmqbbMowgFZe3UMLAN78CETZHGM OLBPB873oWyZ07Ar4v/SL5/aD+FRj2VnYEcGwt0HMmMyaN6ed8Udj4OTNZ7ceZA1Tw8/lZuI KCamj0XfJIK6376RCGnqjsEfS65P1KWZXfWphCKWp2c7uWKtau1q8pgiVRoBSAmjvfXRrIvK LhhQyNOiCUDKrvEWpoeq9y5GTrY27ncLov8nSR/SUPOw5HwJmzdFjhOF9XAOtiND/QRH886O IohdlnUu668mwLCmL2ROe7XWcTkFQWLDg+5b0bC9dgfL+HHpWGUdQPG3CCyPG5LfDmnmuXkE eU1kSD27kFe1kM6pfqpCydJW66DuwoMAEQEAAcLBlwQYAQgADwUCX/hZKwIbDAUJD4vdFwA8 CRBFNcDn2xbxSAkQRTXA59sW8UgJEEU1wOfbFvFICRBFNcDn2xbxSAkQRTXA59sW8UgJEEU1 wOfbFvFIQHUP/jKpA/Xco+eCnh1t4jR9c/8AiE1JR+3txOvsaMK8bWjnDtY5bIxOVvVPMUAI DUjNhSWVbHxPt+sZxEol+6oo9IP6MnWYxgx3IW2BWQUlYDyXzH3S8t7YxVo92+yD4kgZLOdq sKEJ2efr8OSgL4tcbAWA36UB8bOOHkOUXzoLLVN4qjuyRn9BPADGpcfxXEQb9iGVwbEZzfJ6 OtvbOHO0qfI3aX7btjqo2muhD1B8auhLQBVOfpn7LOnL8Hk6QKvkFEC3nqBMQbFUSLarmtXa o4cXSyLDmj+efMhbaimgbwxTxh125/ZaYE1q+LdHyHtbbPLAaxHr3dxPk1p0rjQxxXKG7k0p aal8dcVxp0yGEXOeuXr7Xba+uquF1wLf8kZRD0g7L31py3ay3cw+f3ADF/AgC+8lrlUlODa9 +z9sU7RKGF0fAY1gXV8P6GGPlVGJronrSIM2nSMkcCRJzg9vmPGAvrljQTqDQOf12s0jtevq VelIncMyQacOmw6DGKXsUiGRMNsobYe2BWrfXxoYFZ/0biIPnlY23MImgFUWZjnjD1jvkMzH 0u16cXBgjEAkPq5xy21RvXkwCt4T3XzOglDsxi22jmCSLTx45CGkEJaHLJ9tllkjrd3dQVIw P8hzeF0pGduCQAurcejd++jxzlqDk1hIuG9BqPySrt5AIMEG
In-Reply-To: <CAODMz5HZESoLP+ZfhgwLOmFWHo13AanrfchTBMubVU55CDSROg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/oQiBzWehBbgtIQD8ljFfbyOEXuk>
Subject: Re: [OAUTH-WG] Certificate-bound refresh tokens and certificate expiration handling in case of the confidential clients
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2022 13:37:17 -0000

Hi Jaimandeep,

I disagree with both of your points. See my comments inline.

Best regards,
Karsten

On 12.08.2022 05:40, Jaimandeep Singh wrote:
> Hi Mikheil,
> 1. Well explained by Brain. I will just add my perspective.
>
>     >From the practical perspective, if the confidential client got a
>     refresh
>     token for the offline access and sufficient time (e.g., for a
>     month), this
>     would be quite impractical and not very user-friendly to ask a lot
>     of users
>     to give consents again when the confidential client wants to
>     upgrade its
>     certificate. But seems like software vendors did not interpret the
>     RFC that
>     way.
>
> For confidential clients, authorization code flow is recommended. It 
> is a two step process. In the first step you get the authorization 
> code when the user provides his/her consent. In the second step you 
> use this authorization code along with client credentials to obtain 
> access tokens and refresh tokens. If the refresh token expires either 
> due to expiry of its lifetime or certificate, it only needs to follow 
> step two. So, the question of asking for consent again does not arise 
> unless the authorization code itself has limited lifespan.

IMHO authorization codes should always be implemented as one-time-use 
tokens. Even when there is a grace period allowing a client to redeem a 
code a second time (e.g., in case of network failure) this period should 
be very short - much shorter than the validity of refresh tokens in 
practice.

If the refresh token is expired, the client should start a new 
authorization flow and ask the user for consent again unless the AS 
provides a way for users to grant access for clients "permanently".

>
> 2.
>
>     While RFC 8705 indeed requires binding refresh token to the
>     certificate in
>     case of the public clients in Section 4 and Section 7.1
>
> The RFC 8705 talks about public clients and refresh tokens in the same 
> breath and seems to have legitimized the use of refresh tokens for 
> public clients. However, if we look at the original OAuth 2.0 
> specifications RFC 6749, Section 4.2, talks about implicit grant 
> optimized for public clients. It does not support issuing refresh 
> tokens by AS in the first place. I think there is a need to 
> deliberate on this issue in the next update / errata  for RFC 8705.

RFC 6749 is much older than RFC 8705. Both drafts "OAuth 2.0 Security 
Best Current Practice" (hopefully soon to be finished) and OAuth 2.1 
deprecate issuing access tokens from the authorization endpoint (which 
is more or less the implicit grant). Today's best practice is to use the 
authorization code grant for both confidential and public clients. 
Therefore, I do not think there is a need for an updated RFC replacing 8705.


>
> Regards and Best Wishes
> Jaimandeep Singh
>
>
> On Thu, Aug 11, 2022 at 11:46 PM <mikheil@association.ge> wrote:
>
>     Hi Brian,
>
>     Thanks for the prompt response. We will work with our vendors to
>     get this done according to the RFC.
>
>     Best Regards,
>     Mikheil Kapanadze
>
>     From: Brian Campbell <bcampbell@pingidentity.com>
>     Sent: ხუთშაბათი, 11 აგვისტო, 2022 21:04
>     To: mikheil@association.ge
>     Cc: oauth@ietf.org
>     Subject: Re: [OAUTH-WG] Certificate-bound refresh tokens and
>     certificate expiration handling in case of the confidential clients
>
>     Hi Mikheil,
>
>     Your assumption is the correct reading of the RFC. Or the intent
>     of the RFC anyway. For confidential clients, refresh tokens are
>     bound to the client id (not the certificate thumbprint or anything
>     else for that matter).
>
>     RFCs can't be changed after publication so adding more
>     clarification isn't really possible.
>
>
>
>     On Thu, Aug 11, 2022 at 9:11 AM <mailto:mikheil@association.ge> wrote:
>     Hi,
>
>     I have noticed is that some OAuth2 AS implementations use certificate
>     thumbprints to bind not only access tokens but also refresh tokens
>     to client
>     certificates. This happens for both public and confidential
>     clients. As a
>     result, when the certificate is replaced (e.g., it is about to
>     expire soon),
>     both access and refresh tokens are drawn unusable.
>
>     While RFC 8705 indeed requires binding refresh token to the
>     certificate in
>     case of the public clients in Section 4 and Section 7.1, the
>     wording is not
>     that explicit for the confidential clients. More specifically,
>     Section 7.1
>     of the RFC 8705 is worded in a way which does not explicitly deny
>     keeping
>     refresh tokens alive after certificate change: it talks about
>     binding to
>     client ID, thus binding "indirectly" to the certificate. Also,
>     Section 6.3
>     requires access tokens to be invalidated after certificate change and
>     mentions refresh tokens as typical tools for renewing them.
>
>     >From the practical perspective, if the confidential client got a
>     refresh
>     token for the offline access and sufficient time (e.g., for a
>     month), this
>     would be quite impractical and not very user-friendly to ask a lot
>     of users
>     to give consents again when the confidential client wants to
>     upgrade its
>     certificate. But seems like software vendors did not interpret the
>     RFC that
>     way.
>
>     So, the questions:
>     1) Is my assumption correct and it will not be a violation of the
>     RFC if
>     refresh tokens issued to the confidential clients survive
>     certificate change
>     (e.g., by binding them to Client ID, not the certificate thumbprint)?
>     2) If the answer on the 1st question is “yes”, would it be better
>     to provide
>     more clarification in the section 7.1 to avoid misinterpretations
>     in the
>     future?
>
>     Best Regards,
>     Mikheil Kapanadze
>
>
>
>     _______________________________________________
>     OAuth mailing list
>     mailto:OAuth@ietf.org
>     https://www.ietf.org/mailman/listinfo/oauth
>
>     CONFIDENTIALITY NOTICE: This email may contain confidential and
>     privileged material for the sole use of the intended recipient(s).
>     Any review, use, distribution or disclosure by others is strictly
>     prohibited.  If you have received this communication in error,
>     please notify the sender immediately by e-mail and delete the
>     message and any file attachments from your computer. Thank you.
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
> --
> Regards and Best Wishes
> Jaimandeep Singh
> LinkedIn <http://www.linkedin.com/in/jaimandeep-singh-07834b1b7>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Karsten Meyer zu Selhausen
Senior IT Security Consultant
Phone:	+49 (0)234 / 54456499
Web:	https://hackmanit.de  | IT Security Consulting, Penetration Testing, Security Training

Is your OAuth or OpenID Connect application vulnerable to mix-up attacks? Find out more on our blog:
https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks

Hackmanit GmbH
Universitätsstraße 60 (Exzenterhaus)
44789 Bochum

Registergericht: Amtsgericht Bochum, HRB 14896
Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz

v2.23.0 | Report a Bug | By Email