Re: [OAUTH-WG] Lifetime of refresh token
Donghwan Kim <flowersinthesand@gmail.com> Sat, 29 August 2015 04:26 UTC
Return-Path: <flowersinthesand@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25AB91B38ED for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2015 21:26:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mdJotrxyuVyx for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2015 21:26:41 -0700 (PDT)
Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A36FA1B38F3 for <oauth@ietf.org>; Fri, 28 Aug 2015 21:26:41 -0700 (PDT)
Received: by iofe124 with SMTP id e124so47584381iof.1 for <oauth@ietf.org>; Fri, 28 Aug 2015 21:26:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=j6EnbAl3t9OvYavZVE+pQrYivrTq4LAvy4wN5mz6ND4=; b=pasXvVu+aml4r6yKg/98WVrmkP6f1V1EtC8hRVZSeILcdue2qf60bOh9iTc6cYBblL Pr3WnyV1mqC0Sw28pCS4dmPZAEkmfq8qNguVv8q+0IOae76iFm12+f/Bj92gdh+C7dsn 1S1XCYHjbDJEnQ8Jm5R4/WWVnLBr4l3C+XZd5L2PUsRJKGx9lE5XtidywrxOCegldULW 91tOWDRnHpV2yMQpIZNOZNV7H3ZF6+IJvcd1XvvLvUoPvbs+Qcv8WIA7pWi4kOGOWDH2 d24VNTtA/fbPuQUR+hC5zXelv5F1ybnqLkyTV+a/Db8vcwEHlaK3rszNXcY2zhEEmxTY FvSg==
MIME-Version: 1.0
X-Received: by 10.107.129.141 with SMTP id l13mr16255546ioi.181.1440822401086; Fri, 28 Aug 2015 21:26:41 -0700 (PDT)
Received: by 10.36.137.136 with HTTP; Fri, 28 Aug 2015 21:26:40 -0700 (PDT)
In-Reply-To: <55E0D4EE.9090402@manicode.com>
References: <CAMbDefvdNNLHSMZEXDDOhukzha8G0WLb9j7f6qVXTrXaGCQxTQ@mail.gmail.com> <DE1DE335-FBEF-494A-97F0-BE0F9D4BABAA@ve7jtb.com> <C44C21E6-2559-4099-8B21-3544DE8965BD@lodderstedt.net> <CAMbDefsu0XAQvCR2+ako4PbsoKeezLwgizJ4dVsKMAY_DXM_wA@mail.gmail.com> <B314B571-A0E4-41B0-8F05-B89DA5A73113@ve7jtb.com> <55E0D46C.2080901@manicode.com> <55E0D4EE.9090402@manicode.com>
Date: Sat, 29 Aug 2015 13:26:40 +0900
Message-ID: <CAMbDefv0tsYR0bKJYgcfitcn0RAR7=Sn9dX962YGpjjnh47SnA@mail.gmail.com>
From: Donghwan Kim <flowersinthesand@gmail.com>
To: Jim Manico <jim@manicode.com>
Content-Type: multipart/alternative; boundary="001a113f96be66bbae051e6b9bb6"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/qne5P4xVQYocJZxQYrQfYfSSHt8>
X-Mailman-Approved-At: Mon, 31 Aug 2015 07:36:38 -0700
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Lifetime of refresh token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Aug 2015 04:26:45 -0000
@John, @William I'm of exactly the same opinion. When refreshing the token on expiration of the access token, a new exchange of access token and refresh token should be issued unless that refresh token expired due to inactivity of 1 month or is invalidated by user through their some setting pages. Then, new 1 month of expiration starts again, which is what I called the persistent login. @Bill Come to think of it, it makes sense. If user lose his/her phone or something, he/she should invalidate the token issued to that device. Waiting for one month doesn't help. @Jim Your point is quite valid :) BTW, a self-descriptive access token that only the server understand may be able to cover some of profiles. For example, if the access token contains when the user is signed, banking resource server can ask user to sign in again, insisting such operation should be performed only within 10 minutes of signing in. Thanks for all replies! -- Donghwan On Sat, Aug 29, 2015 at 6:38 AM, Jim Manico <jim@manicode.com> wrote: > I stand corrected, the RFC does give specific time recommendations such as > 10 minutes authorization code recommendation here > https://tools.ietf.org/html/rfc6749#section-4.1.2 but I think my overall > point is still valid. :) > > Aloha, > Jim > > > > > > On 8/28/15 11:36 AM, Jim Manico wrote: > > Again, I would state that this is all contextual to the application being > built - which is why the RFC never gives specific times other than "short > lived" or "long lived". I would suggest giving a series of recommendations > relative to a few different risk profiles (low risk, social media, banking, > enterprise, etc) as opposed to one recommendation. > > With respect, > Jim Manico > > On 8/28/15 10:41 AM, John Bradley wrote: > > I would use a 5 min AT and roll the refresh token per > <https://tools.ietf.org/html/rfc6749#page-47> > https://tools.ietf.org/html/rfc6749#page-47 with a 1 month expiry if that > is what you want for a inactivity timeout after which the user must > authenticate again. The user can always revoke the refresh token. > > Rolling the refresh token also has the advantage that if the token leaks > or is stollen then you will detect the second use of the expired refresh > token and invalidate both, so the user needs to loggin. > > In general I think rolling the refresh token is a good idea though it is > not popular, I think it is more secure. > > John B. > > > > On Aug 28, 2015, at 11:21 AM, Donghwan Kim <flowersinthesand@gmail.com> > wrote: > > I'm sorry to introduce a common topic. > > As John has suggested, I'm going to design that > > * An access token should be short lived e.g. 5 minutes (not to hit the AS > to verify the token or 1 hour (to hit the AS to verify the token). I'm > inclined to 5 minutes for stateless architecture of RSs. > * A refresh token should have 1 month of expiration time by default. If it > turns out that some access token expired, its refresh token should refresh > the token. Then, so called persistent login can be implemented regardless > of the form of authentication. Only if it fails for some reason e.g. token > revocation or inactivity for 1 month, a user is logged out automatically > and should log in again. > * A refresh token should be able to be revoked somehow. With 5 minutes > approach, it will invalidate only the refresh token (Yes the attacker can > have 5 minutes at most), and with 1 hour approach, it will invalidate the > refresh token as well as the corresponding access token. > > Thanks, > > -- Donghwan > > On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt < > torsten@lodderstedt.net> wrote: > >> Refresh tokens are also used by public clients, e.g. native apps. OIDC >> allows to acquire a new id token from a refresh token as well. Note: this >> does not mean a fresh authentication but a refreshed id token containing >> the data of the original authentication transaction. >> >> Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley <ve7jtb@ve7jtb.com>: >> >>> >>> I think Nat’s diagram about the problems of doing pseudo authentication >>> with OAuth is being taken out of context. >>> >>> The refresh token dosen’t expire, it is revoked by the user or system. >>> In some cases refresh tokens are automatically revoked if the users session >>> to the AS ends. I think AOL typically revokes refresh tokens when sessions >>> terminate. >>> >>> OpenID Connect provides a separate id_token with a independent lifetime >>> from the refresh token. A client may keep a refresh token for a much >>> longer time than the user has a login session with the AS. >>> >>> Refresh tokens are typically used by confidential clients that are using >>> a client secret in combination with the refresh token for getting a new >>> access token. >>> >>> By design access tokens should be short lived as the AS is expected to >>> have a way of revoking refresh tokens but not access tokens. >>> A access token that dosen't expire , and can’t be revoked is not a good >>> idea. >>> >>> John B. >>> >>> >>> On Aug 24, 2015, at 2:41 AM, Donghwan Kim < <flowersinthesand@gmail.com> >>> flowersinthesand@gmail.com> wrote: >>> >>> Hi, >>> >>> According to Figure 2 from >>> <http://tools.ietf.org/html/rfc6749#section-1.5> >>> http://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be >>> used to refresh an expired access token without requesting resource owner >>> to sign in again (uncomfortable experience). However, if it's true, isn't >>> it that refresh token might be used to request a new access token even >>> years later? and then isn't refresh token the same with access token which >>> never expires? >>> >>> I intended to use refresh token to implement persistent login by sending >>> a refresh request before issued access token expires (expires_in runs out). >>> But if refresh token works even if access token expired already, sending a >>> refresh request on application start up would be enough. >>> >>> So I'm not sure what I'm missing about refresh token as well as how to >>> implement persistent login using it (you can regard authentication here >>> pseudo-authentication illustrated in >>> <https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg> >>> https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). >>> What is the lifetime of refresh token? >>> >>> Thanks, >>> >>> -- Donghwan >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> ------------------------------ >>> >>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > -- > Jim Manico > Manicode Securityhttps://www.manicode.com > > -- > Jim Manico > Manicode Securityhttps://www.manicode.com > >
- [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Justin Richer
- Re: [OAUTH-WG] Lifetime of refresh token John Bradley
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Bill Mills
- Re: [OAUTH-WG] Lifetime of refresh token Torsten Lodderstedt
- Re: [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Bill Mills
- Re: [OAUTH-WG] Lifetime of refresh token Justin Richer
- Re: [OAUTH-WG] Lifetime of refresh token John Bradley
- Re: [OAUTH-WG] Lifetime of refresh token William Denniss
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Nat Sakimura