Re: [OAUTH-WG] Refresh tokens

Kris Selden <> Wed, 15 June 2011 19:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A97A821F85D3 for <>; Wed, 15 Jun 2011 12:21:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oOYEAiQ9phBO for <>; Wed, 15 Jun 2011 12:21:52 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C23E821F85CB for <>; Wed, 15 Jun 2011 12:21:52 -0700 (PDT)
Received: by pvh18 with SMTP id 18so641708pvh.31 for <>; Wed, 15 Jun 2011 12:20:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :in-reply-to:date:cc:message-id:references:to:x-mailer; bh=sxQiINu6DmZWOUx+Xqv7dOA5lBbBGP565pl/xwT67IU=; b=bOfuM3XTYaDwm6nPyKgW8/CxaQZXUiSyXX0fYscV4N6XKdR5eU45I6Rf8ZKBtSB7yL uiQjvLJhXq/LitYl9ldy8QPooKQ/AMfvNMFZK4WlYIntSp1rjUW0Qn56HP6fLYVJV3Hn I7InB15nQdoFGzni62isEHfwj4A9imwq4Uo0U=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; b=PwGMXf0Yy6ozjO165TeFFXraZwEjEctN8zzPPbLJ2jZw8IdLuvxrE+gQXTJdluT+hC v59YtE/7G4pG7Xf4D2pAFRRqAViUxrwJtoAzX4yuGT6PmzllXqTy45hnCdCP7l5VHJ75 ViUrtLJaoEuXus4yLwtsmAWUsX9Ahn6UzcXLM=
Received: by with SMTP id v5mr36135pba.140.1308165625455; Wed, 15 Jun 2011 12:20:25 -0700 (PDT)
Received: from [] ( []) by with ESMTPS id x1sm400069pbb.82.2011. (version=TLSv1/SSLv3 cipher=OTHER); Wed, 15 Jun 2011 12:20:24 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: multipart/alternative; boundary=Apple-Mail-11--854034262
From: Kris Selden <>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234475E986B4F@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Wed, 15 Jun 2011 12:20:47 -0700
Message-Id: <>
References: <90C41DD21FB7C64BB94121FBBC2E7234475E986AF9@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <90C41DD21FB7C64BB94121FBBC2E7234475E986B4F@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <>
X-Mailer: Apple Mail (2.1082)
Cc: OAuth WG <>
Subject: Re: [OAUTH-WG] Refresh tokens
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 15 Jun 2011 19:21:53 -0000

There is a scalability reason, in that the access_token could be verifiable on the resource server without DB lookup or a call out to a central server, then the refresh token serves as the means for revoking in the "an access token good for an hour, with a refresh token good for a year or good-till-revoked."

There is a security reason, the refresh_token is only ever exchanged with authorization server whereas the access_token is exchanged with resource servers.  This mitigates the risk of a long-lived access_token leaking (query param in a log file on an insecure resource server, beta or poorly coded resource server app, JS SDK client on a non https site that puts the access_token in a cookie, etc) in the "an access token good for an hour, with a refresh token good for a year or good-till-revoked" vs "an access token good-till-revoked without a refresh token."

On Jun 15, 2011, at 11:56 AM, Eran Hammer-Lahav wrote:

> Yes, this is useful and on my list of changes to apply.
> But I would like to start with a more basic, normative definition of what a refresh token is for. Right now, we have a very vague definition for it, and it is not clear how developers should use it alongside access tokens.