[OAUTH-WG] Using refresh tokens to authenticate the clients

Sergey Beryozkin <sberyozkin@gmail.com> Fri, 06 March 2015 18:00 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B95081A0021 for <oauth@ietfa.amsl.com>; Fri, 6 Mar 2015 10:00:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yy6vEfG8SUeB for <oauth@ietfa.amsl.com>; Fri, 6 Mar 2015 09:59:59 -0800 (PST)
Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F9AE1A00DC for <oauth@ietf.org>; Fri, 6 Mar 2015 09:59:59 -0800 (PST)
Received: by wghl2 with SMTP id l2so17873306wgh.8 for <oauth@ietf.org>; Fri, 06 Mar 2015 09:59:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=7RBUgidvtgUVk3QqxCfX4JyxNDQpPa+l+4zOgdTIr3U=; b=GA32kbeY5zO83u2jpd3ibImpiqnkuBluMoaV4NsZZTc18sUlTiVN1Fp1O5blhQu69K iR3ju7kq8PBgTkHcPmRUqe3c3kaxNgzrGI43HrG0jkR86UvoQ8NtkjNScYp6+lvQ3/cZ WQRYPOvdSCpkMQ15pOJgMwBSeNYCYeM9x22vKKOorYZiX8A4N18nRNWbkzj7aOlAylGP 5r3n23ENjFiOTtyLocEJKWVxO3ioQRm68dwesaeHpSaHnxIPXw2pKtdpnAdJMoS2TSsk yA+uk/oTFXEBFvQjzcIBmc8iNPIEH2RFE7pJIhOyFqcQus+myoNLRi6IwAz5TuV2R4i8 xtew==
X-Received: by 10.194.189.138 with SMTP id gi10mr32636422wjc.86.1425664797966; Fri, 06 Mar 2015 09:59:57 -0800 (PST)
Received: from [192.168.2.7] ([89.100.10.58]) by mx.google.com with ESMTPSA id ew5sm3211442wic.14.2015.03.06.09.59.53 for <oauth@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 06 Mar 2015 09:59:56 -0800 (PST)
Message-ID: <54F9EB19.3010706@gmail.com>
Date: Fri, 06 Mar 2015 17:59:53 +0000
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <54F59359.5020601@gmx.net> <2A7D9B45-2459-4558-8356-CAB1029D113D@MIT.EDU> <4E1F6AAD24975D4BA5B1680429673943A2E78D9F@TK5EX14MBXC292.redmond.corp.microsoft.com>, <54F7C2B7.7090304@mit.edu> <4E1F6AAD24975D4BA5B1680429673943A2E79640@TK5EX14MBXC292.redmond.corp.microsoft.com> <54F9E246.70901@gmail.com>
In-Reply-To: <54F9E246.70901@gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/vGF5aVIv20cHBM5rU2G-_UxzI3Q>
Subject: [OAUTH-WG] Using refresh tokens to authenticate the clients
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 18:00:00 -0000

Hi All,

The example at [1] suggests that clients working with a refresh grant 
authenticate as usual when they need to use a grant.

The section 3.3 in the threat model document [2] says that

    "as long as the confidentiality of the particular token can be
    ensured by the client, a refresh token can also be used as an
    alternative means to authenticate the client instance itself"

How this can be processed by the access token service that expects a 
client to authenticate ?
Example, typically,
Authorization: Basic encodedInfo

If a refresh token is used to authenticate, how to express it ?

client_id=refreshToken in the form payload or URI query ?

Thanks, Sergey


[1] https://tools.ietf.org/html/rfc6749#section-6
[2] https://tools.ietf.org/html/rfc6819#section-3.3