Re: [OAUTH-WG] Lifetime of refresh token

2015-09-01 Thread Nat Sakimura
rror, please notify the sender immediately and delete your copy from your system. From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Tuesday, August 25, 2015 12:08 AM To: Donghwan Kim Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Lifetime of refresh token I think N

Re: [OAUTH-WG] Lifetime of refresh token

2015-08-31 Thread Donghwan Kim
@John, @William I'm of exactly the same opinion. When refreshing the token on expiration of the access token, a new exchange of access token and refresh token should be issued unless that refresh token expired due to inactivity of 1 month or is invalidated by user through their some setting pages.

Re: [OAUTH-WG] Lifetime of refresh token

2015-08-28 Thread Jim Manico
I stand corrected, the RFC does give specific time recommendations such as 10 minutes authorization code recommendation here https://tools.ietf.org/html/rfc6749#section-4.1.2 but I think my overall point is still valid. :) Aloha, Jim On 8/28/15 11:36 AM, Jim Manico wrote: Again, I would st

Re: [OAUTH-WG] Lifetime of refresh token

2015-08-28 Thread Jim Manico
Again, I would state that this is all contextual to the application being built - which is why the RFC never gives specific times other than "short lived" or "long lived". I would suggest giving a series of recommendations relative to a few different risk profiles (low risk, social media, banki

Re: [OAUTH-WG] Lifetime of refresh token

2015-08-28 Thread Jim Manico
This is all contextual to the application. In some situations I want to immediately force re-authentication for all transactions above X$ such as banking applications. In some situations I want a permanent refresh token, like for Twitter like social applications. etc...etc... - Jim Manico O

Re: [OAUTH-WG] Lifetime of refresh token

2015-08-28 Thread William Denniss
+1 for John's suggestion. Why force users to re-authenticate after an arbitrary 30-day window? On Fri, Aug 28, 2015 at 1:41 PM John Bradley wrote: > I would use a 5 min AT and roll the refresh token per > https://tools.ietf.org/html/rfc6749#page-47 with a 1 month expiry if that > is what you wa

Re: [OAUTH-WG] Lifetime of refresh token

2015-08-28 Thread John Bradley
I would use a 5 min AT and roll the refresh token per https://tools.ietf.org/html/rfc6749#page-47 with a 1 month expiry if that is what you want for a inactivity timeout after which the user must authenticate again. The user can always revoke the

Re: [OAUTH-WG] Lifetime of refresh token

2015-08-28 Thread Justin Richer
One viable method for detecting “inactivity for one month” would be to have a one month expiration on the refresh token, but reset that counter every time the refresh token is used to get a new access token. You can do this by manipulating the expiration of the token object itself on your author

Re: [OAUTH-WG] Lifetime of refresh token

2015-08-28 Thread Bill Mills
You don't need to put an expiration on the refresh token.  You get to see that refresh token every 5 minutes anyway.  If you ever want to force the client to re-auth just use policy on the AS.  Nothing will be broken with what you are doing though. On Friday, August 28, 2015 7:21 AM, Don

Re: [OAUTH-WG] Lifetime of refresh token

2015-08-28 Thread Donghwan Kim
I'm sorry to introduce a common topic. As John has suggested, I'm going to design that * An access token should be short lived e.g. 5 minutes (not to hit the AS to verify the token or 1 hour (to hit the AS to verify the token). I'm inclined to 5 minutes for stateless architecture of RSs. * A refr

Re: [OAUTH-WG] Lifetime of refresh token

2015-08-28 Thread Torsten Lodderstedt
Refresh tokens are also used by public clients, e.g. native apps. OIDC allows to acquire a new id token from a refresh token as well. Note: this does not mean a fresh authentication but a refreshed id token containing the data of the original authentication transaction. Am 24. August 2015 17:0

Re: [OAUTH-WG] Lifetime of refresh token

2015-08-24 Thread Bill Mills
You could have a refresh token that never expires.  Having to use the refresh token to get a new access token gives you a single control point to allow checking whether that refresh token should still be valid.  Means the RS doesn't have to do that stuff. On Monday, August 24, 2015 8:09

Re: [OAUTH-WG] Lifetime of refresh token

2015-08-24 Thread Jim Manico
There is a good debate and discussion on refresh tokens on StackOverflow. http://stackoverflow.com/questions/3487991/why-does-oauth-v2-have-both-access-and-refresh-tokens Is this a good place to send developers to answer refresh token questions, and if not, can the illustrious smart people on t

Re: [OAUTH-WG] Lifetime of refresh token

2015-08-24 Thread John Bradley
I think Nat’s diagram about the problems of doing pseudo authentication with OAuth is being taken out of context. The refresh token dosen’t expire, it is revoked by the user or system. In some cases refresh tokens are automatically revoked if the users session to the AS ends. I think AOL typi

Re: [OAUTH-WG] Lifetime of refresh token

2015-08-24 Thread Justin Richer
The lifetime of a refresh token is up to the AS — they can expire, be revoked, etc. The difference between a refresh token and an access token is the audience: the refresh token only goes back to the AS, the access token goes to the RS. Also, just getting an access token doesn’t mean the user’

[OAUTH-WG] Lifetime of refresh token

2015-08-24 Thread Donghwan Kim
Hi, According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be used to refresh an expired access token without requesting resource owner to sign in again (uncomfortable experience). However, if it's true, isn't it that refresh token might be used to request a n