IETF Logo Mail Archive

Re: [OAUTH-WG] refresh tokens and client instances

Sergey Beryozkin <sberyozkin@gmail.com> Thu, 03 July 2014 11:33 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BBCA1B28A4 for <oauth@ietfa.amsl.com>; Thu, 3 Jul 2014 04:33:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w63vjttMBDXm for <oauth@ietfa.amsl.com>; Thu, 3 Jul 2014 04:33:23 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E41EE1B27E3 for <oauth@ietf.org>; Thu, 3 Jul 2014 04:33:22 -0700 (PDT)
Received: by mail-wi0-f169.google.com with SMTP id hi2so10384629wib.0 for <oauth@ietf.org>; Thu, 03 Jul 2014 04:33:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=HpqEpsMSeuGyupp3Ap+N3xhNPGNCNSEtKz1CyJkyrrg=; b=kS2Fsqa1FTQk5Ob818Ns/UcSYSp7fx0SC+88w2+6nZAc40K7ZnBxsSRzEopIXufEQg HxBZcaqpMCsg6OBa8I6Ml1jQLZQfqj573Gr8oejNMXVr5djHaXNRWZ5D//eR/GBg8BIQ 8ydSKMHho3HT9ZI4DUQxpc9z52ib1ImeOH4Jwx3DxTAyaAIcwvJ91Tax6b7OpWNuAC5S XqtNVXMf8fN5vEr11fMh7zltL4UoqDqNeh/Kub6P5BjbLBIjNcjAQWbS1Lmfbl5S7jy7 he6yRWikKQSjGwQlorQ8C1IJnNEFpbDZmk7HDECZVr8K119MGrMZfJdkDJ3HDdsWYnxO Sz9g==
X-Received: by 10.194.22.201 with SMTP id g9mr4341006wjf.98.1404387197777; Thu, 03 Jul 2014 04:33:17 -0700 (PDT)
Received: from [192.168.2.7] ([109.255.82.12]) by mx.google.com with ESMTPSA id h3sm61448923wjz.48.2014.07.03.04.33.16 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 03 Jul 2014 04:33:17 -0700 (PDT)
Message-ID: <53B53F7C.506@gmail.com>
Date: Thu, 03 Jul 2014 12:33:16 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <007a01cf90d2$7bdda950$7398fbf0$%nakhjiri@samsung.com> <0BA8278C-6856-4C9F-96C7-C5752F3F1E09@ve7jtb.com> <002201cf922c$9ec65c90$dc5315b0$%nakhjiri@samsung.com> <EF0302C0-8077-408D-B82B-35FEAFD3C263@ve7jtb.com>
In-Reply-To: <EF0302C0-8077-408D-B82B-35FEAFD3C263@ve7jtb.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/xpsMLz6XO0EeDz93LemzylH3kEw
Subject: Re: [OAUTH-WG] refresh tokens and client instances
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jul 2014 11:33:26 -0000

Hi

I'm finding the answers from John interesting but I'm failing to 
understand why refresh tokens are mentioned in scope of identifying the 
specific client instances.

AFAIK refresh tokens would only go on the wire, assuming they are 
supported, when a client exchanges a grant for a new access token.
And when the client uses a refresh token grant.

Was it really about a refresh token grant where the incoming client id 
and refresh token pair can uniquely identify the actual client instance 
? That would make sense.

Something else I'd like to clarify.
John mentions a refresh token is created at the authorization grant 
initialization time. Would it make any difference, as far as the 
security properties of a grant are concerned, if refresh token was only 
created at a grant to access token exchange point of time ?

Thanks, Sergey

On 27/06/14 19:21, John Bradley wrote:
> Inline
>
> On Jun 27, 2014, at 1:24 PM, Madjid Nakhjiri <m.nakhjiri@samsung.com
> <mailto:m.nakhjiri@samsung.com>> wrote:
>
>> Hi John,
>> Thank you for your reply. Would appreciate if you consider my inline
>> comments below and respond again!
>> R,
>> Madjid
>> *From:*John Bradley [mailto:ve7jtb@ve7jtb.com]
>> *Sent:*Wednesday, June 25, 2014 5:56 PM
>> *To:*Madjid Nakhjiri
>> *Cc:*oauth@ietf.org <mailto:oauth@ietf.org>
>> *Subject:*Re: [OAUTH-WG] refresh tokens and client instances
>> In 3.3 It is saying that the refresh token is a secret that the
>> Authorization server has bound to the client_id, that the
>> Authorization server effectively uses to differentiate between
>> instances of that client_id.
>> Madjid>>If I have 10,000s of devices, each with an instance of the
>> OAUTH client, but they are all using the same client ID, how would the
>> server know which token to use for what client? unless when I am
>> creating a token, I also include something that uniquely identifies
>> each instance? Don’t I have to use SOMETHING that is unique to that
>> instance (user grant/ID?)?
> When the grant is issued you create and store a refresh token which is
> effectively the identifier for that instance/grant combination.
> When it comes back on a request to the token endpoint you look up the
> grants associated with it.   You also hack that the client_id sent in
> the request matches to detect errors mostly)
>
>> When the refresh token is generated, it can be stored in a table with
>> the client_id and the information about the grant.   You could also do
>> it statelesly by creating a signed object as the refresh token.
>> Madjid>>agreed, but for the signed object to be self-sustained, again
>> would I not need something beyond a “population” client_ID? Are we
>> prescriptive what “information about the grant” is?
> You would be creating a bearer token as long as the AS signs it you can
> put whatever grant grant info you like in it, that is implementation
> specific.  It  could be a list of the scopes granted and the subject.
>> The spec is silent on the exact programming method that the
>> Authorization server uses.
>> Madjid>>Are there any other specs in IETF or elsewhere (OASIS, etc?)
>> that prescribe token calculation (e.g. hash function, parameters, etc)?
>
> You can look at JOSE and JWT for a way to create tokens
> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token
>> In 3.7 Deployment independent describes using the same client_id
>> across multiple instances of a native client, or multiple instances of
>> a Java Script client running in a browsers with the same callback uri.
>> Since the publishing of this RFC we have also developed a spec for
>> dynamic client registration so it is possible to give every native
>> client it's own client_id and secret making them confidential clients.
>> Madjid>>I would need to look at those specs, however, I thought that
>> the “confidential client” designation has to do with the client
>> ability to hold secrets and perform a-by-server-acceptable
>> authentication. Does dynamic client registration affect client’s
>> ability in that aspect?
>
> Yes it doesn't require the secret to be in the downloaded instance of
> the native app.  It can be populated at first run, changing it from
> public to confidential.
> Confidential is not just for web servers any more.
>> There is also a middle ground some people take by doing a proof of
>> possession for code in native applications to prevent the interception
>> of responses to the client by malicious applications on the device.
>> https://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse/
>> John B.
>> On Jun 25, 2014, at 8:06 PM, Madjid Nakhjiri <m.nakhjiri@samsung.com
>> <mailto:m.nakhjiri@samsung.com>> wrote:
>>
>>
>> Hi all,
>> I am new to OAUTH list and OAUTH, so apologies if this is very off-topic.
>> I am evaluating an OAUTH 2.0 implementation that is done based on bare
>> bone base OAUTH2.0 RFC. From what I understand, many (or some) client
>> implementations use a “global ID/secret” pair for all instances of the
>> client.  Looking at RFC 6819 and there seem to be a whole page on this
>> topic, if I understand it correctly. So questions:
>> 1)Section 3.7 talks about deployment-independent versus deployment
>> specific client IDs. I am guessing “deployment-independent” refers to
>> what I called “global”, meaning if I have the same client with the
>> same client ID installed in many end devices, that is a deployment
>> independent case, correct?
>> 2)Section 3.3 on refresh token mentions that the token is secret bound
>> to the client ID and client instance. Could somebody please point me
>> to where the token generation and binding is described? Also how is
>> the client instance is identified?
>> Thanks a lot in advance,
>> Madjid Nakhjiri
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email