IETF Logo Mail Archive

Re: [OAUTH-WG] Lifetime of refresh token

Jim Manico <jim@manicode.com> Fri, 28 August 2015 21:34 UTC

Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79A841ABD3D for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2015 14:34:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id peypuvn2prXZ for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2015 14:34:11 -0700 (PDT)
Received: from mail-pa0-f50.google.com (mail-pa0-f50.google.com [209.85.220.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3029F1A92F4 for <oauth@ietf.org>; Fri, 28 Aug 2015 14:34:11 -0700 (PDT)
Received: by padhm10 with SMTP id hm10so18707701pad.3 for <oauth@ietf.org>; Fri, 28 Aug 2015 14:34:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type; bh=EMQsq+PXN3WsR1R3iBNX9iSeLNVZ5LKDaYdf/gqVXZs=; b=AcqPi0CoXvBQqsUc1dxp1w+lKTBs+wkH16lz6raz7uyq9LmNs8Fx66TtpzZL20vN7s vy4tZsvoiacS9cZu5T/mDapRq/7zNyd+9dl+iZYriZ+1JzK7kMEbkzCEpS8yKuKZ9RgK 2gP986fbj/Gj1ReWou00CEA+fRMgfwrKq6LGU0PfDB+x5AgnxdUc5+hbuCicIbvWhFeQ UNKgkgxdq651dw5XED81uuBeHyYc7AgzLzqeVIVe8MGXLJYl32tJAfzvnN92ot15epoL erHWOjkW8Kp0fhU/eWCtpaM3IPk65mCFGo7cwz143K3dH1cCqSIbIoHOyrbH3+di105k /DuQ==
X-Gm-Message-State: ALoCoQkC5pfP2LNGCn+AO+GvvuzDjkX38cUobj7gauCoVsz0gQrbfOfXaqjiWe1KfGNpCO0qpMj8
X-Received: by 10.66.236.74 with SMTP id us10mr18789888pac.64.1440797650585; Fri, 28 Aug 2015 14:34:10 -0700 (PDT)
Received: from heembo.local (cpe-50-113-38-25.hawaii.res.rr.com. [50.113.38.25]) by smtp.googlemail.com with ESMTPSA id eg2sm6798517pad.44.2015.08.28.14.34.08 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 28 Aug 2015 14:34:10 -0700 (PDT)
To: William Denniss <wdenniss@google.com>, John Bradley <ve7jtb@ve7jtb.com>, Donghwan Kim <flowersinthesand@gmail.com>
References: <CAMbDefvdNNLHSMZEXDDOhukzha8G0WLb9j7f6qVXTrXaGCQxTQ@mail.gmail.com> <DE1DE335-FBEF-494A-97F0-BE0F9D4BABAA@ve7jtb.com> <C44C21E6-2559-4099-8B21-3544DE8965BD@lodderstedt.net> <CAMbDefsu0XAQvCR2+ako4PbsoKeezLwgizJ4dVsKMAY_DXM_wA@mail.gmail.com> <B314B571-A0E4-41B0-8F05-B89DA5A73113@ve7jtb.com> <CAAP42hCmkqHEfZi_f-hCwMN2e0qn-4040-=jHcCHoeDVLONmaA@mail.gmail.com>
From: Jim Manico <jim@manicode.com>
Message-ID: <55E0D3CF.2040507@manicode.com>
Date: Fri, 28 Aug 2015 11:34:07 -1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <CAAP42hCmkqHEfZi_f-hCwMN2e0qn-4040-=jHcCHoeDVLONmaA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------010709090907030109080200"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/p9EOOIW04eChElMczplaK5u3_OM>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Lifetime of refresh token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2015 21:34:14 -0000

This is all contextual to the application. In some situations I want to 
immediately force re-authentication for all transactions above X$ such 
as banking applications. In some situations I want a permanent refresh 
token, like for Twitter like social applications. etc...etc...

- Jim Manico



On 8/28/15 10:58 AM, William Denniss wrote:
> +1 for John's suggestion.
>
> Why force users to re-authenticate after an arbitrary 30-day window?
>
> On Fri, Aug 28, 2015 at 1:41 PM John Bradley <ve7jtb@ve7jtb.com 
> <mailto:ve7jtb@ve7jtb.com>> wrote:
>
>     I would use a 5 min AT and roll the refresh token per
>     https://tools.ietf.org/html/rfc6749#page-47 with a 1 month expiry
>     if that is what you want for a inactivity timeout after which the
>     user must authenticate again.   The user can always revoke the
>     refresh token.
>
>     Rolling the refresh token also has the advantage that if the token
>     leaks or is stollen then you will detect the second use of the
>     expired refresh token and invalidate both, so the user needs to
>     loggin.
>
>     In general I think rolling the refresh token is a good idea though
>     it is not popular, I think it is more secure.
>
>     John B.
>
>
>
>>     On Aug 28, 2015, at 11:21 AM, Donghwan Kim
>>     <flowersinthesand@gmail.com <mailto:flowersinthesand@gmail.com>>
>>     wrote:
>>
>>     I'm sorry to introduce a common topic.
>>
>>     As John has suggested, I'm going to design that
>>
>>     * An access token should be short lived e.g. 5 minutes (not to
>>     hit the AS to verify the token or 1 hour (to hit the AS to verify
>>     the token). I'm inclined to 5 minutes for stateless architecture
>>     of RSs.
>>     * A refresh token should have 1 month of expiration time by
>>     default. If it turns out that some access token expired, its
>>     refresh token should refresh the token. Then, so called
>>     persistent login can be implemented regardless of the form of
>>     authentication. Only if it fails for some reason e.g. token
>>     revocation or inactivity for 1 month, a user is logged out
>>     automatically and should log in again.
>>     * A refresh token should be able to be revoked somehow. With 5
>>     minutes approach, it will invalidate only the refresh token (Yes
>>     the attacker can have 5 minutes at most), and with 1 hour
>>     approach, it will invalidate the refresh token as well as the
>>     corresponding access token.
>>
>>     Thanks,
>>
>>     -- Donghwan
>>
>>     On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt
>>     <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>>
>>         Refresh tokens are also used by public clients, e.g. native
>>         apps. OIDC allows to acquire a new id token from a refresh
>>         token as well. Note: this does not mean a fresh
>>         authentication but a refreshed id token containing the data
>>         of the original authentication transaction.
>>
>>         Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley
>>         <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>:
>>
>>             I think Nat’s diagram about the problems of doing pseudo
>>             authentication with OAuth is being taken out of context.
>>
>>             The refresh token dosen’t expire, it is revoked by the
>>             user or system.  In some cases refresh tokens are
>>             automatically revoked if the users session to the AS
>>             ends.  I think AOL typically revokes refresh tokens when
>>             sessions terminate.
>>
>>             OpenID Connect provides a separate id_token with a
>>             independent lifetime from the refresh token.  A client
>>             may keep a refresh token for a much longer time than the
>>             user has a login session with the AS.
>>
>>             Refresh tokens are typically used by confidential clients
>>             that are using a client secret in combination with the
>>             refresh token for getting a new access token.
>>
>>             By design access tokens should be short lived as the AS
>>             is expected to have a way of revoking refresh tokens but
>>             not access tokens.
>>             A access token that dosen't expire , and can’t be revoked
>>             is not a good idea.
>>
>>             John B.
>>
>>
>>>             On Aug 24, 2015, at 2:41 AM, Donghwan Kim
>>>             <flowersinthesand@gmail.com
>>>             <mailto:flowersinthesand@gmail.com>> wrote:
>>>
>>>             Hi,
>>>
>>>             According to Figure 2 from
>>>             http://tools.ietf.org/html/rfc6749#section-1.5, refresh
>>>             token can be used to refresh an expired access token
>>>             without requesting resource owner to sign in again
>>>             (uncomfortable experience). However, if it's true, isn't
>>>             it that refresh token might be used to request a new
>>>             access token even years later? and then isn't refresh
>>>             token the same with access token which never expires?
>>>
>>>             I intended to use refresh token to implement persistent
>>>             login by sending a refresh request before issued access
>>>             token expires (expires_in runs out). But if refresh
>>>             token works even if access token expired already,
>>>             sending a refresh request on application start up would
>>>             be enough.
>>>
>>>             So I'm not sure what I'm missing about refresh token as
>>>             well as how to implement persistent login using it (you
>>>             can regard authentication here pseudo-authentication
>>>             illustrated in
>>>             https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg).
>>>             What is the lifetime of refresh token?
>>>
>>>             Thanks,
>>>
>>>             -- Donghwan
>>>             _______________________________________________
>>>             OAuth mailing list
>>>             OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>             https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>             ------------------------------------------------------------------------
>>
>>             OAuth mailing list
>>             OAuth@ietf.org <mailto:OAuth@ietf.org>
>>             https://www.ietf.org/mailman/listinfo/oauth
>>
>     _______________________________________________ OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth 
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
-- 
Jim Manico
Manicode Security
https://www.manicode.com

v2.23.0 | Report a Bug | By Email