Re: [OAUTH-WG] PKCE and refresh tokens
David Waite <david@alkaline-solutions.com> Fri, 28 February 2020 19:07 UTC
Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29ECD3A19EA for <oauth@ietfa.amsl.com>; Fri, 28 Feb 2020 11:07:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alkaline-solutions.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PlDVZd4SlW-8 for <oauth@ietfa.amsl.com>; Fri, 28 Feb 2020 11:07:07 -0800 (PST)
Received: from mail.alkaline-solutions.com (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67C533A19E5 for <oauth@ietf.org>; Fri, 28 Feb 2020 11:07:07 -0800 (PST)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by mail.alkaline-solutions.com (Postfix) with ESMTPA id 5DECB385F6F; Fri, 28 Feb 2020 19:07:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1582916824; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PM9SNqF0BB6hDcf/dlCKLaxzNnk7/TGIigmm3ZGOXMY=; b=MMa7ClAirNbDENn3aqohg/NRKu0+3o7yhaAOzbyD7TiLp3TW1GBVD5KrEu30zCcHaimPGt mZ+2bT+rmNFuoXFacUPDHQvDEWORJ9RPN8bgnghSCVdktHFAn5cNUU6Sj1YROqND9I7f0C pzsOg4fNIBSkYpM0vIr/rSRVYElVOLE=
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0
From: David Waite <david@alkaline-solutions.com>
In-Reply-To: <CANhzChNLXZBr-HaUX_jZG_kk=5gM6j79gQ0YYmy=HJ=6YFtwzw@mail.gmail.com>
Date: Fri, 28 Feb 2020 12:07:03 -0700
Cc: oauth@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <F3B4C4A2-146A-4EF0-9F5E-269E9BE2A049@alkaline-solutions.com>
References: <CANhzChNLXZBr-HaUX_jZG_kk=5gM6j79gQ0YYmy=HJ=6YFtwzw@mail.gmail.com>
To: Albin Nilsson <albin@bergson.nu>
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1582916825; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PM9SNqF0BB6hDcf/dlCKLaxzNnk7/TGIigmm3ZGOXMY=; b=C3fNfLMsQlyyiaS2YXXUvfvkOaRWKaiIKiTrYIyqtmAtK4dtP6nqa0TsvYGPQa6+65/dfS 2aKm/ZhtRNBNJxuTp1KqoMGk0ycfWbyXPTUdhKXoJaq0z+pZSU5yiKUFKulZRUKu96owdk ULaVNGXY871ED0jci6bcJ2yctmG/oUw=
ARC-Seal: i=1; s=dkim; d=alkaline-solutions.com; t=1582916825; a=rsa-sha256; cv=none; b=NpvoIc2vHgh5R1CJBR7qp/XjjnmWQ7W7ihpNSNS3Cg/g0h64LWd0/8ND2QNcmzPraGgjHO 8BLCRgkweGlD5G5LWqQukzgOc6mOMG6ntlkSAnEalxZ3Zc0S+pZJ3dZdgQ1s0MrOTKp4if 8ZVQiNlPwWaSFrN2owAR2VNoqzmZZ5c=
ARC-Authentication-Results: i=1; mail.alkaline-solutions.com; auth=pass smtp.auth=david@alkaline-solutions.com smtp.mailfrom=david@alkaline-solutions.com
Authentication-Results: mail.alkaline-solutions.com; auth=pass smtp.auth=david@alkaline-solutions.com smtp.mailfrom=david@alkaline-solutions.com
X-Spamd-Bar: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/tnSCH05zeJI07zKp6FgrF_QDbvs>
Subject: Re: [OAUTH-WG] PKCE and refresh tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2020 19:07:09 -0000
> On Feb 28, 2020, at 8:46 AM, Albin Nilsson <albin@bergson.nu> wrote: > > Hello, > > I'm having some trouble with oauth and the Authorization Code flow and PKCE. How can I get a refresh token? The refresh token flow requires a client_secret, but PKCE prohibits client_secret. Is refresh token a no go? PKCE provides XSRF protection and proof that the two parts of the code flow are from the same client. It does not forbid using client secrets, and is recommended by the security BCP for both public and confidential clients due to its XSRF protection. Refresh token grant requests only require authentication (such as with a client secret) for confidential clients. Public clients are permitted to refresh without providing a secret or other credentials. The lack of allowances for public clients by some implementations initially is why the AppAuth BCP and browser-based apps draft allows for the use of a secret in both the code request and refresh request - with the understanding by the AS that policy-wise this must be treated as a public client. -DW
- [OAUTH-WG] PKCE and refresh tokens Albin Nilsson
- Re: [OAUTH-WG] PKCE and refresh tokens Ron Alleva
- Re: [OAUTH-WG] PKCE and refresh tokens David Waite
- Re: [OAUTH-WG] PKCE and refresh tokens Naveen Agarwal