Thanks for the clarification, Torsten. I believe it's the first time I see use of client credentials positioned as sender constraint; if the intent is saying that confidential clients should use their credentials when redeeming refresh tokens, I am of course in agreement but I think the language should be clearer and state the above explicitly.
Re: failure frequency, I know of scenarios were the designers added rotation by default, and after a while it was turned to opt in because of the frequency of errors and impact on user experience/call center. I really believe that putting this as a MUST is justified only for exceedingly vulnerable situations, like SPAs. Native/desktop clients should be free to decide whether they want to opt in without loosing compliance. Just my 2 C On Thu, Mar 12, 2020 at 11:58 AM Torsten Lodderstedt <torsten= 40lodderstedt....@dmarc.ietf.org> wrote: > Hi, > > sender constraining refresh tokens for confidential client means client > authentication + check the binding of the refresh token with the respective > client id. I don’t think this is new as RFC6759 already required ASs to > check this binding. Assuming backends are generally confidential clients > also means no rotation and no cache synchronization needed. > > Rotation should be used for frontends, e.g. native apps and only if there > is there no other option. If a refresh fails, the app must go through the > authorization process again. That’s inconvenient so the question is how > often this happens. What I can say, I have never seen customer complaining > in several years of operation of ASs with refresh token rotation (including > replay detection) for native apps with millions of users. > > best regards, > Torsten. > > Am 12.03.2020 um 19:24 schrieb Vittorio Bertocci <Vittorio= > 40auth0....@dmarc.ietf.org>: > > > Hey guys, > thanks for putting this together. > I am concerned with the real world impact of imposing sender constraint | > rotation as a MUST on refresh tokens in every scenario. > Sender constraint isn't immediately actionable - we just had the > discussion for dPOP, hence I won't go in the details here. > Rotation isn't something that can be added without significant impact on > development and runtime experiences: > > - on distributed scenarios, it introduces the need to serialize access > to shared caches > - network failures can lead to impact on experience- stranding clients > which fail to receive RTn+1 during RTn redemption in a limbo where user > interaction might become necessary, disrupting experience or functionality > for scenarios where the user isn't available to respond. > - > > > > On Wed, Mar 11, 2020 at 5:28 PM Aaron Parecki <aa...@parecki.com> wrote: > >> I'm happy to share that Dick and Torsten and I have published a first >> draft of OAuth 2.1. We've taken the feedback from the discussions on >> the list and incorporated that into the draft. >> >> https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01 >> >> A summary of the differences between this draft and OAuth 2.0 can be >> found in section 12, and I've copied them here below. >> >> > This draft consolidates the functionality in OAuth 2.0 (RFC6749), >> > OAuth 2.0 for Native Apps (RFC8252), Proof Key for Code Exchange >> > (RFC7636), OAuth 2.0 for Browser-Based Apps >> > (I-D.ietf-oauth-browser-based-apps), OAuth Security Best Current >> > Practice (I-D.ietf-oauth-security-topics), and Bearer Token Usage >> > (RFC6750). >> > >> > Where a later draft updates or obsoletes functionality found in the >> > original [RFC6749], that functionality in this draft is updated with >> > the normative changes described in a later draft, or removed >> > entirely. >> > >> > A non-normative list of changes from OAuth 2.0 is listed below: >> > >> > * The authorization code grant is extended with the functionality >> > from PKCE ([RFC7636]) such that the only method of using the >> > authorization code grant according to this specification requires >> > the addition of the PKCE mechanism >> > >> > * Redirect URIs must be compared using exact string matching as per >> > Section 4.1.3 of [I-D.ietf-oauth-security-topics] >> > >> > * The Implicit grant ("response_type=token") is omitted from this >> > specification as per Section 2.1.2 of >> > [I-D.ietf-oauth-security-topics] >> > >> > * The Resource Owner Password Credentials grant is omitted from this >> > specification as per Section 2.4 of >> > [I-D.ietf-oauth-security-topics] >> > >> > * Bearer token usage omits the use of bearer tokens in the query >> > string of URIs as per Section 4.3.2 of >> > [I-D.ietf-oauth-security-topics] >> > >> > * Refresh tokens must either be sender-constrained or one-time use >> > as per Section 4.12.2 of [I-D.ietf-oauth-security-topics] >> >> https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01#section-12 >> >> I'm excited for the direction this is taking, and it has been a >> pleasure working with Dick and Torsten on this so far. My hope is that >> this first draft can serve as a good starting point for our future >> discussions! >> >> ---- >> Aaron Parecki >> aaronparecki.com >> @aaronpk >> >> P.S. This notice was also posted at >> https://aaronparecki.com/2020/03/11/14/oauth-2-1 >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
