Re: [OAUTH-WG] Lifetime of refresh token
Jim Manico <jim@manicode.com> Fri, 28 August 2015 21:34 UTC
Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79A841ABD3D for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2015 14:34:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id peypuvn2prXZ for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2015 14:34:11 -0700 (PDT)
Received: from mail-pa0-f50.google.com (mail-pa0-f50.google.com [209.85.220.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3029F1A92F4 for <oauth@ietf.org>; Fri, 28 Aug 2015 14:34:11 -0700 (PDT)
Received: by padhm10 with SMTP id hm10so18707701pad.3 for <oauth@ietf.org>; Fri, 28 Aug 2015 14:34:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type; bh=EMQsq+PXN3WsR1R3iBNX9iSeLNVZ5LKDaYdf/gqVXZs=; b=AcqPi0CoXvBQqsUc1dxp1w+lKTBs+wkH16lz6raz7uyq9LmNs8Fx66TtpzZL20vN7s vy4tZsvoiacS9cZu5T/mDapRq/7zNyd+9dl+iZYriZ+1JzK7kMEbkzCEpS8yKuKZ9RgK 2gP986fbj/Gj1ReWou00CEA+fRMgfwrKq6LGU0PfDB+x5AgnxdUc5+hbuCicIbvWhFeQ UNKgkgxdq651dw5XED81uuBeHyYc7AgzLzqeVIVe8MGXLJYl32tJAfzvnN92ot15epoL erHWOjkW8Kp0fhU/eWCtpaM3IPk65mCFGo7cwz143K3dH1cCqSIbIoHOyrbH3+di105k /DuQ==
X-Gm-Message-State: ALoCoQkC5pfP2LNGCn+AO+GvvuzDjkX38cUobj7gauCoVsz0gQrbfOfXaqjiWe1KfGNpCO0qpMj8
X-Received: by 10.66.236.74 with SMTP id us10mr18789888pac.64.1440797650585; Fri, 28 Aug 2015 14:34:10 -0700 (PDT)
Received: from heembo.local (cpe-50-113-38-25.hawaii.res.rr.com. [50.113.38.25]) by smtp.googlemail.com with ESMTPSA id eg2sm6798517pad.44.2015.08.28.14.34.08 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 28 Aug 2015 14:34:10 -0700 (PDT)
To: William Denniss <wdenniss@google.com>, John Bradley <ve7jtb@ve7jtb.com>, Donghwan Kim <flowersinthesand@gmail.com>
References: <CAMbDefvdNNLHSMZEXDDOhukzha8G0WLb9j7f6qVXTrXaGCQxTQ@mail.gmail.com> <DE1DE335-FBEF-494A-97F0-BE0F9D4BABAA@ve7jtb.com> <C44C21E6-2559-4099-8B21-3544DE8965BD@lodderstedt.net> <CAMbDefsu0XAQvCR2+ako4PbsoKeezLwgizJ4dVsKMAY_DXM_wA@mail.gmail.com> <B314B571-A0E4-41B0-8F05-B89DA5A73113@ve7jtb.com> <CAAP42hCmkqHEfZi_f-hCwMN2e0qn-4040-=jHcCHoeDVLONmaA@mail.gmail.com>
From: Jim Manico <jim@manicode.com>
Message-ID: <55E0D3CF.2040507@manicode.com>
Date: Fri, 28 Aug 2015 11:34:07 -1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <CAAP42hCmkqHEfZi_f-hCwMN2e0qn-4040-=jHcCHoeDVLONmaA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------010709090907030109080200"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/p9EOOIW04eChElMczplaK5u3_OM>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Lifetime of refresh token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2015 21:34:14 -0000
This is all contextual to the application. In some situations I want to immediately force re-authentication for all transactions above X$ such as banking applications. In some situations I want a permanent refresh token, like for Twitter like social applications. etc...etc... - Jim Manico On 8/28/15 10:58 AM, William Denniss wrote: > +1 for John's suggestion. > > Why force users to re-authenticate after an arbitrary 30-day window? > > On Fri, Aug 28, 2015 at 1:41 PM John Bradley <ve7jtb@ve7jtb.com > <mailto:ve7jtb@ve7jtb.com>> wrote: > > I would use a 5 min AT and roll the refresh token per > https://tools.ietf.org/html/rfc6749#page-47 with a 1 month expiry > if that is what you want for a inactivity timeout after which the > user must authenticate again. The user can always revoke the > refresh token. > > Rolling the refresh token also has the advantage that if the token > leaks or is stollen then you will detect the second use of the > expired refresh token and invalidate both, so the user needs to > loggin. > > In general I think rolling the refresh token is a good idea though > it is not popular, I think it is more secure. > > John B. > > > >> On Aug 28, 2015, at 11:21 AM, Donghwan Kim >> <flowersinthesand@gmail.com <mailto:flowersinthesand@gmail.com>> >> wrote: >> >> I'm sorry to introduce a common topic. >> >> As John has suggested, I'm going to design that >> >> * An access token should be short lived e.g. 5 minutes (not to >> hit the AS to verify the token or 1 hour (to hit the AS to verify >> the token). I'm inclined to 5 minutes for stateless architecture >> of RSs. >> * A refresh token should have 1 month of expiration time by >> default. If it turns out that some access token expired, its >> refresh token should refresh the token. Then, so called >> persistent login can be implemented regardless of the form of >> authentication. Only if it fails for some reason e.g. token >> revocation or inactivity for 1 month, a user is logged out >> automatically and should log in again. >> * A refresh token should be able to be revoked somehow. With 5 >> minutes approach, it will invalidate only the refresh token (Yes >> the attacker can have 5 minutes at most), and with 1 hour >> approach, it will invalidate the refresh token as well as the >> corresponding access token. >> >> Thanks, >> >> -- Donghwan >> >> On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt >> <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote: >> >> Refresh tokens are also used by public clients, e.g. native >> apps. OIDC allows to acquire a new id token from a refresh >> token as well. Note: this does not mean a fresh >> authentication but a refreshed id token containing the data >> of the original authentication transaction. >> >> Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley >> <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>: >> >> I think Nat’s diagram about the problems of doing pseudo >> authentication with OAuth is being taken out of context. >> >> The refresh token dosen’t expire, it is revoked by the >> user or system. In some cases refresh tokens are >> automatically revoked if the users session to the AS >> ends. I think AOL typically revokes refresh tokens when >> sessions terminate. >> >> OpenID Connect provides a separate id_token with a >> independent lifetime from the refresh token. A client >> may keep a refresh token for a much longer time than the >> user has a login session with the AS. >> >> Refresh tokens are typically used by confidential clients >> that are using a client secret in combination with the >> refresh token for getting a new access token. >> >> By design access tokens should be short lived as the AS >> is expected to have a way of revoking refresh tokens but >> not access tokens. >> A access token that dosen't expire , and can’t be revoked >> is not a good idea. >> >> John B. >> >> >>> On Aug 24, 2015, at 2:41 AM, Donghwan Kim >>> <flowersinthesand@gmail.com >>> <mailto:flowersinthesand@gmail.com>> wrote: >>> >>> Hi, >>> >>> According to Figure 2 from >>> http://tools.ietf.org/html/rfc6749#section-1.5, refresh >>> token can be used to refresh an expired access token >>> without requesting resource owner to sign in again >>> (uncomfortable experience). However, if it's true, isn't >>> it that refresh token might be used to request a new >>> access token even years later? and then isn't refresh >>> token the same with access token which never expires? >>> >>> I intended to use refresh token to implement persistent >>> login by sending a refresh request before issued access >>> token expires (expires_in runs out). But if refresh >>> token works even if access token expired already, >>> sending a refresh request on application start up would >>> be enough. >>> >>> So I'm not sure what I'm missing about refresh token as >>> well as how to implement persistent login using it (you >>> can regard authentication here pseudo-authentication >>> illustrated in >>> https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). >>> What is the lifetime of refresh token? >>> >>> Thanks, >>> >>> -- Donghwan >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> ------------------------------------------------------------------------ >> >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Jim Manico Manicode Security https://www.manicode.com
- [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Justin Richer
- Re: [OAUTH-WG] Lifetime of refresh token John Bradley
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Bill Mills
- Re: [OAUTH-WG] Lifetime of refresh token Torsten Lodderstedt
- Re: [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Bill Mills
- Re: [OAUTH-WG] Lifetime of refresh token Justin Richer
- Re: [OAUTH-WG] Lifetime of refresh token John Bradley
- Re: [OAUTH-WG] Lifetime of refresh token William Denniss
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Nat Sakimura