[OAUTH-WG] Certificate-bound refresh tokens and certificate expiration handling in case of the confidential clients
mikheil@association.ge Thu, 11 August 2022 15:10 UTC
Return-Path: <mikheil@association.ge>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA542C15C500 for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2022 08:10:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=association-ge.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qpsufRdD0smc for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2022 08:10:08 -0700 (PDT)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E48DC159486 for <oauth@ietf.org>; Thu, 11 Aug 2022 08:10:08 -0700 (PDT)
Received: by mail-ej1-x634.google.com with SMTP id i14so34040031ejg.6 for <oauth@ietf.org>; Thu, 11 Aug 2022 08:10:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=association-ge.20210112.gappssmtp.com; s=20210112; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:to:from :from:to:cc; bh=UPmlbnz5nrs9n0ftK7hT7TSo8gal1btoTsgAiiQx8rg=; b=sXl24XVN1dXRpj0YVn86PeinsJ/wwHJODIvV+0u7TTDTq7Drfjn+iEqImaBNAUOiyo WECAXHIghkf4C4IdnKC9mgeH7JMeGm0FpRy4Njh4AMpUMWwM+ZXh2h77v6gQqICtWBJ7 V92MV47STX7LXTUxH+bv+k0qawugcA+tSQlb+AzX3z9e3hdwBjRS6I1EffuWG52X/0HE o/zWi18YY5ATAfMrdN9ZrGfzKPWKVlje/JKZNKZ0ppr9bSXfHCt22lYOq3y/2c3PAeed dFTu5QdiQ4LOC4LDxEGPUQx9XJdL2b9To2gnr8NQyREdcdVYzeAA4yGTGSsj7d9gEJMO BNJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:to:from :x-gm-message-state:from:to:cc; bh=UPmlbnz5nrs9n0ftK7hT7TSo8gal1btoTsgAiiQx8rg=; b=BxhJjxRhydePys+3YOAR5ENZr/DL28iXVMX9NIQoKPsEFKCfZSa/RjAdbU+ZVdbk4k 9oPjDxQ8NvoHWJ9bcZgnXanPWA4hTSKRSZdEs/rfGYJAYQ5QbXnx4GViStnSzIUYaoac q75ef2X90TSWxKNmFtCGASa7kbh0vQvpn0/CGxfaiSxxE7UIp5GepDK5PWZ6iisQMTmz nNH6RsP6zT8RLIJCsIRs3riWSLeMfldZAcGW11Fl1nAXPkUH+V99HBtXir29sMsMQ+Yf 0bGWPC4imCxuQVzBjjCkCqY3PRw7+4+AVEJEBgIrEPL7tayz3r5rrgvwn0RcF1RUCrGd tBfQ==
X-Gm-Message-State: ACgBeo2B3iDcQVzIr+nR4aqIRVoGDru3qJ7xrGY7YS6HbxV//ywumRsE RQk9Pt5ywKMKX9jpk9Sybc+9odDznwHYdQ==
X-Google-Smtp-Source: AA6agR4n33q+jOQs6rnc0CfMXHTktsFFDaNd8TJEQmoKZYstitPnzgsIurZKF+QOIXb2ePF78nTGKA==
X-Received: by 2002:a17:907:6eac:b0:730:a07f:38bb with SMTP id sh44-20020a1709076eac00b00730a07f38bbmr25282182ejc.750.1660230606473; Thu, 11 Aug 2022 08:10:06 -0700 (PDT)
Received: from DESKTOP4L2D0VO ([185.70.52.59]) by smtp.gmail.com with ESMTPSA id 3-20020a170906328300b00722e31fcf42sm3571591ejw.184.2022.08.11.08.10.05 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Aug 2022 08:10:06 -0700 (PDT)
From: mikheil@association.ge
To: oauth@ietf.org
References: <006c01d8ad93$776364f0$662a2ed0$@association.ge>
In-Reply-To: <006c01d8ad93$776364f0$662a2ed0$@association.ge>
Date: Thu, 11 Aug 2022 19:10:05 +0400
Message-ID: <007201d8ad94$710026b0$53007410$@association.ge>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQLiQzKwc9eJ8soby+J5nIG7KkIH56uWoMRg
Content-Language: ka
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vyaz3ESDNNg86GA4cXB6u5S20t4>
Subject: [OAUTH-WG] Certificate-bound refresh tokens and certificate expiration handling in case of the confidential clients
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2022 15:11:25 -0000
Hi, I have noticed is that some OAuth2 AS implementations use certificate thumbprints to bind not only access tokens but also refresh tokens to client certificates. This happens for both public and confidential clients. As a result, when the certificate is replaced (e.g., it is about to expire soon), both access and refresh tokens are drawn unusable. While RFC 8705 indeed requires binding refresh token to the certificate in case of the public clients in Section 4 and Section 7.1, the wording is not that explicit for the confidential clients. More specifically, Section 7.1 of the RFC 8705 is worded in a way which does not explicitly deny keeping refresh tokens alive after certificate change: it talks about binding to client ID, thus binding "indirectly" to the certificate. Also, Section 6.3 requires access tokens to be invalidated after certificate change and mentions refresh tokens as typical tools for renewing them. >From the practical perspective, if the confidential client got a refresh token for the offline access and sufficient time (e.g., for a month), this would be quite impractical and not very user-friendly to ask a lot of users to give consents again when the confidential client wants to upgrade its certificate. But seems like software vendors did not interpret the RFC that way. So, the questions: 1) Is my assumption correct and it will not be a violation of the RFC if refresh tokens issued to the confidential clients survive certificate change (e.g., by binding them to Client ID, not the certificate thumbprint)? 2) If the answer on the 1st question is yes, would it be better to provide more clarification in the section 7.1 to avoid misinterpretations in the future? Best Regards, Mikheil Kapanadze
- [OAUTH-WG] Certificate-bound refresh tokens and c… mikheil
- Re: [OAUTH-WG] Certificate-bound refresh tokens a… Brian Campbell
- Re: [OAUTH-WG] Certificate-bound refresh tokens a… mikheil
- Re: [OAUTH-WG] Certificate-bound refresh tokens a… Jaimandeep Singh
- Re: [OAUTH-WG] Certificate-bound refresh tokens a… Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] Certificate-bound refresh tokens a… Jaimandeep Singh
- Re: [OAUTH-WG] Certificate-bound refresh tokens a… Torsten Lodderstedt
- Re: [OAUTH-WG] Certificate-bound refresh tokens a… Jaimandeep Singh
- Re: [OAUTH-WG] Certificate-bound refresh tokens a… Aaron Parecki