Re: [OAUTH-WG] OAuth2 Implementation questions (client secret and refresh tokens)
Dave Rochwerger <daver@quizlet.com> Thu, 08 September 2011 00:06 UTC
Return-Path: <daver@quizlet.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E4F521F87C5 for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 17:06:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lavp6aeN5V5E for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 17:06:15 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id EF39D21F8797 for <oauth@ietf.org>; Wed, 7 Sep 2011 17:06:14 -0700 (PDT)
Received: by gyd12 with SMTP id 12so195560gyd.31 for <oauth@ietf.org>; Wed, 07 Sep 2011 17:08:05 -0700 (PDT)
Received: by 10.150.157.3 with SMTP id f3mr193716ybe.386.1315440485225; Wed, 07 Sep 2011 17:08:05 -0700 (PDT)
Received: from mail-gw0-f42.google.com (mail-gw0-f42.google.com [74.125.83.42]) by mx.google.com with ESMTPS id 9sm105167ybb.1.2011.09.07.17.08.03 (version=SSLv3 cipher=OTHER); Wed, 07 Sep 2011 17:08:04 -0700 (PDT)
Received: by gwb17 with SMTP id 17so290665gwb.15 for <oauth@ietf.org>; Wed, 07 Sep 2011 17:08:03 -0700 (PDT)
Received: by 10.100.151.9 with SMTP id y9mr28961and.56.1315440483185; Wed, 07 Sep 2011 17:08:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.164.3 with HTTP; Wed, 7 Sep 2011 17:07:43 -0700 (PDT)
X-Originating-IP: [67.169.69.75]
In-Reply-To: <0F38FE37-5F91-48ED-AD9E-1F08B7AA8DA6@oracle.com>
References: <CAGyXixwZhMMTzWPrMeWQZEz0v_9WYGwPVByGfPAxGnAthf=3Ng@mail.gmail.com> <CAGyXixzH6uwf72ons1UE2-yKfx=TK-bSBSpN5TzmcJNPVcbxKg@mail.gmail.com> <1315434454.76681.YahooMailNeo@web31816.mail.mud.yahoo.com> <0F38FE37-5F91-48ED-AD9E-1F08B7AA8DA6@oracle.com>
From: Dave Rochwerger <daver@quizlet.com>
Date: Wed, 07 Sep 2011 17:07:43 -0700
Message-ID: <CAGyXixyTY9mKN5RtwtEyAdC1gBtahmuheckqi+S9yJYAdD7bEg@mail.gmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0016e6461542b934c304ac62da14"
Subject: Re: [OAUTH-WG] OAuth2 Implementation questions (client secret and refresh tokens)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2011 00:06:16 -0000
Hi Phil, >> The client is then forced to periodically reauthenticate (without the user) before getting a new access token. What benefit does that have? >> Refresh also gives the authzn server a chance to revoke access. Hence it is better to use shorter lived access tokens with long lived refresh tokens. That doesn't follow - we can just as easily revoke the single long-lived access token. Dave. On Wed, Sep 7, 2011 at 4:24 PM, Phillip Hunt <phil.hunt@oracle.com> wrote: > You can also use a long lived refresh token in combination with a short > access token. The client is then forced to periodically reauthenticate > (without the user) before getting a new access token. > > Refresh also gives the authzn server a chance to revoke access. Hence it is > better to use shorter lived access tokens with long lived refresh tokens. > > Phil > > On 2011-09-07, at 15:27, William Mills <wmills@yahoo-inc.com> wrote: > > I'll talk to the refresh token question: they give you a hook for > extensibility and key rotation. If you want to rotate your encryption keys > or extend the data carried in the token in any way then you want to be able > to cleanly refresh your tokens. Note that the refresh flow allows you to > issue a new refresh token at the same time. It also allows a clean path to > convert tokens in a new client if you decide you want SAML tokens instead of > MAC for example. > > If you want those things you want to use refresh tokens. You can have long > lived access tokens too, and just use the refresh tokens when you want to do > something new with the access tokens. > > -bill > > ------------------------------ > *From:* Dave Rochwerger <daver@quizlet.com> > *To:* <oauth@ietf.org>oauth@ietf.org > *Cc:* Quizlet Dev Team <devteam@quizlet.com> > *Sent:* Wednesday, September 7, 2011 2:15 PM > *Subject:* [OAUTH-WG] OAuth2 Implementation questions (client secret and > refresh tokens) > > Hi all, > > I have been implementing OAuth2 based on the various drafts for our new > API. Initially, I implemented everything as per the spec, but due to our > particular scenario and restrictions we have in place, there are some > fundamental questions that I am unable to defend. > > I am hoping this group could help answer them for me. > > Our scenario: > ========== > * We are implementing an API to allow 3rd party developers to access users' > protected resources via their applications. The applications will mostly be > native phone apps, but some will have web server backends (javascript-only > applications are not a concern at the moment). > * We want to provide very long-lived (forever) tokens. > * We are implementing the "authorization code" flow as that seems best > suited to us (we don't want the implicit flow because end-users would have > to re-authorize every hour). > > Our architecture: > ============ > * We control both the API server and the authorization server. > * All requests to protected resources (ie: to the API server) are always > done over SSL. > * All requests to the authz server (token and authorize endpoints) are > always done over SSL. > * We enforce that every client must supply the state parameter (and our > guidelines say they must verify the state for CSRF mitigation). > * We enforce that every client must register a redirect URI. > * We validate the redirect_uri used to request an access token is the same > that was used to obtain the auth code. > * The only time a request is not made over SSL is the redirect with the > auth_code which is very short-lived (30 seconds) and is tied to a verified > redirect URI. > * We enforce that access tokens must be provided using the Authorization > header only (and of course, over SSL). > * We have guidelines saying that all mobile apps must use the native > browser (and not an embedded web UI). > > Questions: > ======== > 1. Given the above scenario, what use are refresh tokens? > - Access tokens can not leak because every request (to resource and authz > server) containing an access token is done over SSL. We control both the > authz and resource servers, so tokens in logs (and other suggested reasons > in the archives) are not an issue. > - Long-lived refresh tokens and short-lived access tokens are supposed to > provide security due to possible access token leakage... but in our 100% > SSL scenario, if access tokens are able to leak, then so would the client > id, secret and refresh token. > - Having a long-lived refresh token that can be exchanged for another > access token adds a level of complexity (a second HTTPS request every so > often) and seems to provide no benefit for our case. > > > 2. What is the point of the client secret (in our scenario)? > - We originally were treating the clients as confidential, but after > re-reading the native-application section, it seems we really should treat > them as public (phone apps can be decompiled and the secret discovered). > - The spec says that the authz server should > authenticate confidential clients, but public clients are allowed to just > send their public client id (and no secret). > - The only verification then, is to enforce redirect URI registration and > to validate the redirect URI between authorization and token steps. > > So, the question is, assuming that we, one: "enforce redirect-URI > registration" and two: "validate that URI" - why can't we treat all clients > as public and not worry about a secret? > What is the benefit of having confidential clients (and a secret) at all? > > > Our API source is not available, but the oauth2 server implementation can > be seen here: <https://github.com/quizlet/oauth2-php> > https://github.com/quizlet/oauth2-php > > Regards, > Dave > > > _______________________________________________ > OAuth mailing list > <OAuth@ietf.org>OAuth@ietf.org > <https://www.ietf.org/mailman/listinfo/oauth> > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- Re: [OAUTH-WG] OAuth2 Implementation questions (c… Dave Rochwerger
- Re: [OAUTH-WG] OAuth2 Implementation questions (c… Phil Hunt
- Re: [OAUTH-WG] OAuth2 Implementation questions (c… Dave Rochwerger
- [OAUTH-WG] OAuth2 Implementation questions (clien… Dave Rochwerger
- Re: [OAUTH-WG] OAuth2 Implementation questions (c… William Mills
- Re: [OAUTH-WG] OAuth2 Implementation questions (c… Phillip Hunt
- Re: [OAUTH-WG] OAuth2 Implementation questions (c… Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth2 Implementation questions (c… Dave Rochwerger
- Re: [OAUTH-WG] OAuth2 Implementation questions (c… Dave Rochwerger
- Re: [OAUTH-WG] OAuth2 Implementation questions (c… Phil Hunt
- Re: [OAUTH-WG] OAuth2 Implementation questions (c… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth2 Implementation questions (c… Dave Rochwerger
- Re: [OAUTH-WG] OAuth2 Implementation questions (c… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth2 Implementation questions (c… Dave Rochwerger
- Re: [OAUTH-WG] OAuth2 Implementation questions (c… Torsten Lodderstedt