Re: [OAUTH-WG] [EXTERNAL] Rotating RTs and grace periods

Neil Madden <> Tue, 02 November 2021 21:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 21C053A0B38 for <>; Tue, 2 Nov 2021 14:20:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OumnrNP14T_d for <>; Tue, 2 Nov 2021 14:20:19 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 15AE63A0B30 for <>; Tue, 2 Nov 2021 14:20:19 -0700 (PDT)
Received: by with SMTP id f7-20020a1c1f07000000b0032ee11917ceso397532wmf.0 for <>; Tue, 02 Nov 2021 14:20:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=RzdvBZluKJvbFPYDg2VquFKZMVqzyxYnCRijYIha03c=; b=CdmL4tf8XPfIokidGHLGuPaR5xqPlmF6IudkCFW7cwltDKrFtXwAlnUMtdXQt5QioN x/pNosFJb2Xt/o/5YKKkIkm292VbSrlWUY4YIq0c3dnsEMdZYBP9lN4vviRRTe/94dDk o4fYpu0yiGp1/iyfAApay1PBWyCmcj/p8tL0U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=RzdvBZluKJvbFPYDg2VquFKZMVqzyxYnCRijYIha03c=; b=MQzC3aXr9mkS1qKkhnTRgDv9QpzkM8EwaPHoWKAa8Jrw6faAMcBI3hUhKaeBqB+J2k PE9jWdg5OFdFQV4LqMHSr0e2297rW1LIJ43DuwjOxjQhkZGiG64XUP/cBP3pvxuaaYJp T12GhxbqEoyv0cqBRswsdQrVN9CMqdU+s1QXLqWjz5dnel9cDssdgr40NO1KMejpqnkN OIu9oavMxov0Di8r+Pw50DjiO90ik7+9/+lGrdam1SHcsJhkoV6KnUHnPHlBzhh7Ulym f/ut62vs0ivvoLFrmA+bQ84MgzMgY7ON8ljj7A6Xwjrsh0N0PscW5MQnwToi+y5up1os S6SQ==
X-Gm-Message-State: AOAM530+b4ltNo78AORnUKhfZPb8WT2BlbSJZt31scUSgit/atXJeupH zJjztg7gcCi/YNeAERXeHcOs4cZSFtY9zudo5JubwVqe9rT7L/Kbf76R8GSb2SDPhCe1MZpL/Cq TWzW/TC5Xez8h+1eFCbSL3hkPLN9DKZt+hjcl7/ejzyxONzn5nhA27HrgcbAtEDgBAg==
X-Google-Smtp-Source: ABdhPJyYfujbfLwjcrjnDhNQRuDO0AFTCKFvLtmniPOGY19tJlexIZB/xBvwrdoXurzR6s+BONeICQ==
X-Received: by 2002:a05:600c:1989:: with SMTP id t9mr10201956wmq.48.1635888015880; Tue, 02 Nov 2021 14:20:15 -0700 (PDT)
Received: from ( []) by with ESMTPSA id q84sm4997411wme.3.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 02 Nov 2021 14:20:15 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-5BC87443-87C9-4104-8E24-06CCF36C6A7E"
Content-Transfer-Encoding: 7bit
From: Neil Madden <>
Mime-Version: 1.0 (1.0)
Date: Tue, 02 Nov 2021 21:20:13 +0000
Message-Id: <>
References: <>
Cc: oauth <>
In-Reply-To: <>
To: Pieter Kasselman <>
X-Mailer: iPhone Mail (18H17)
Archived-At: <>
Subject: Re: [OAUTH-WG] [EXTERNAL] Rotating RTs and grace periods
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Nov 2021 21:20:24 -0000

The grace period is to allow the client to retry if it fails to receive the new RT for any reason. For example, the client performs a successful refresh flow but loses mobile network signal before receiving the response. The grace period allows the client to simply retry the request, whereas without a grace period the first request would have invalidated the old RT leaving the client with no option but to perform a full authorization flow again to get a new one. 

I’m generally against allowing a grace period at all, but given that it’s a common request and some implementations are already allowing this, I’m hoping we can find some wording we can all agree on. 

I agree that a grace period is more acceptable if the RT is sender-constrained by something like DPoP, but then in that case does RT rotation add anything anyway? The current BCP lists these two as either/or rather than defence in depth. 

— Neil

> On 2 Nov 2021, at 14:09, Pieter Kasselman <> wrote:
> Neil
> Is the goal to accommodate network latency or clock drift? It would be helpful to include reasons for why a grace period should be considered if it is allowed.
> Without knowing the reasons for the grace period it is not clear why a grace period is a better solution than just extending the expiry time by a set time (60 seconds in your example) and having the client present the token a little earlier.
> If grace periods are allowed, it may be worth considering adding additional mitigations against replay. For example, a grace period may be allowed if the refresh token is sender constrained with DPoP so there is at least some assurances that the request is originating from the sender (especially if the nonce option is used with DPoP).
> I would worry about adding more complexity and less predictability by adding grace periods though (e.g. by looking at a refresh token, will you be able to tell if it can still be used or not), but your point that implementors may solve for it in other less predictable ways raises a valid point.
> Cheers
> Pieter
> From: OAuth <> On Behalf Of Neil Madden
> Sent: Tuesday 2 November 2021 10:29
> To: oauth <>
> Subject: [EXTERNAL] [OAUTH-WG] Rotating RTs and grace periods
> Hi all,
> There was a previous discussion on whether to allow a grace period during refresh token rotation, allowing the client to retry a refresh if the response fails to be received due to some transient network issue/timeout [1]. Vittorio mentioned that Auth0 already implement such a grace period. We (ForgeRock) currently do not, but we do periodically receive requests to support this. The current security BCP draft is silent on whether implementing such a grace period is a good idea, but I think we should add some guidance here one way or another.
> My own opinion is that a grace period is not a good idea, and if it is to be supported as an option then it should be kept as short as possible. The reason (as I mentioned in the previous thread) is that it is quite easy for an attacker to observe when a legitimate client performs a refresh flow and so can easily sneak in their own request afterwards within the grace period. There are several reasons why it is easy for an attacker to observe this:
> - RT rotation is primarily intended for public clients, such as mobile apps and SPAs. These clients are geographically distributed across the internet, and so there is a good chance that the attacker is able to observe the network traffic of at least some of these client instances.
> - The refresh flow is typically the only request that the client makes directly to the AS after initial authorization, so despite the traffic being encrypted it is very easy for an observer to determine that the client is performing a refresh whenever it makes any connection to the AS.
> - As well as observing the request itself, an attacker may be able to observe the DNS lookup for the AS hostname instead, which is even more likely to be observable and also in plaintext most of the time.
> - An attacker in a position to steal RTs from e.g. localStorage, is probably also in a good position to either observe when the legitimate client refreshes or to actually force it to refresh early (e.g., by deleting the corresponding AT from the same storage).
> I know some people argue that a grace period is a reasonable trade-off between security and usability. But I think that this kind of attack would be quite easy to carry out in practice for the reasons I suggest above, so I think the security actually degrades extremely quickly if you allow a grace period of any reasonable length. 
> On the other hand, if we discourage this entirely then people may use dubious workarounds instead (e.g., one proposal I’ve seen was to use an ID token with the JWT Bearer grant, effectively turning the ID Token into an ad-hoc RT with much fewer protections).
> As a strawman, what would people think of wording like the following:
> ---
> The AS MAY allow the original RT to be replayed for a short grace period to allow the client to recover if the response is not received due to a network problem or other transient issue. However, implementors should be aware that an attacker may be able to easily observe when the legitimate client makes a refresh request to the AS and so time their use of a stolen RT to occur within the grace period. Any grace period MUST be kept as short as possible, and MUST NOT exceed 60 seconds. Clients should prefer sender-constrained refresh tokens if recovery from network issues is a priority.
> —
> (The 60 seconds limit here is based on Auth0’s grace period).
> [1]: 
> Kind regards,
> Neil