Re: [OAUTH-WG] Refresh token security considerations
Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 10 July 2011 08:21 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2383A21F8A7E for <oauth@ietfa.amsl.com>; Sun, 10 Jul 2011 01:21:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5+hXsCPusP3a for <oauth@ietfa.amsl.com>; Sun, 10 Jul 2011 01:21:22 -0700 (PDT)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.100]) by ietfa.amsl.com (Postfix) with ESMTP id 0CD3C21F89F2 for <oauth@ietf.org>; Sun, 10 Jul 2011 01:21:21 -0700 (PDT)
Received: from [88.249.48.57] (helo=[192.168.179.140]) by smtprelay05.ispgateway.de with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1QfpGQ-0000kb-IJ; Sun, 10 Jul 2011 10:21:19 +0200
References: <90C41DD21FB7C64BB94121FBBC2E7234501D4A005B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
User-Agent: K-9 Mail for Android
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234501D4A005B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----07LE5JAY5870A8W41O35RNHJLT89KO"
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Sun, 10 Jul 2011 11:21:12 +0300
To: Eran Hammer-Lahav <eran@hueniverse.com>, OAuth WG <oauth@ietf.org>
Message-ID: <152fee05-9248-45e5-a9b5-86e880e5b1f9@email.android.com>
X-Df-Sender: torsten@lodderstedt-online.de
Subject: Re: [OAUTH-WG] Refresh token security considerations
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jul 2011 08:21:23 -0000
replacement of the refresh token with every access token refresh is an example. The authz server creates and returns a new refresh token value with every access token refreshment. The old value is invalidated and must not be used any further. Note: The authz server keeps track of all old (invalidated) refresh tokens. If a client presents one of those old refresh tokens, the legitimate client has been compromised most likely. The authz then revokes the refresh token and the associated access authorization. regards, Torsten. Eran Hammer-Lahav <eran@hueniverse.com> schrieb: “the authorization server SHOULD deploy other means to detect refresh token abuse” This requires an example. EHL
- [OAUTH-WG] Refresh token security considerations Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh token security considerati… Torsten Lodderstedt
- Re: [OAUTH-WG] Refresh token security considerati… William J. Mills
- Re: [OAUTH-WG] Refresh token security considerati… Torsten Lodderstedt
- Re: [OAUTH-WG] Refresh token security considerati… William J. Mills
- Re: [OAUTH-WG] Refresh token security considerati… Brian Eaton
- Re: [OAUTH-WG] Refresh token security considerati… Phil Hunt
- Re: [OAUTH-WG] Refresh token security considerati… William J. Mills