Re: [OAUTH-WG] Refresh tokens

Tue, 09 Jul 2019 09:22:49 -0700

For historical references only... the Google model around refresh tokens and the AOL model around refresh tokens were slightly different. So I proposed a bunch of the OIDC text around refresh tokens and offline access to allow for both models.
At AOL, the model was that refresh_tokens were bound to the authentication session by default. The only way to get an "unbound" refresh_token was to request the 'offline_access' scope. We restricted which clients could request the 'offline_access' scope and limited it mostly to native apps. 


I'm happy to recommend errata text (as long as it's just explanatory) to 
the OIDC spec should someone have a recommendation they'd like to make:)


On 7/9/19 2:08 AM, David Waite wrote:




On Jul 8, 2019, at 8:39 PM, Aaron Parecki <aa...@parecki.com 
<mailto:aa...@parecki.com>> wrote:



These are all very good points! I think the challenge here is 
figuring out where this kind of guidance is most appropriate.



It does seem like some of these issues are unique to a browser 
environment (particularly where the browser itself is managing the 
access and refresh tokens), so maybe it makes the most sense to 
include this guidance in the browser based app BCP?



Yes, the location is a challenge - the ???offline??? distinction is 
defined (arguably under-defined) by OpenID Connect. OAuth (on the 
other hand) does not take a stand on user authentication sessions, 
since the tokens are for delegated access.



For confidential clients, both online and offline options make sense. 
For native apps, the push is usually for long-term access or for a 
session separate from the external user agent. But for browser apps, 
you typically want to mirror user authentication.



If there are situations in which this advice is applicable in other 
scenarios in addition to browser apps, then I think it would make 
more sense to include it in the general OAuth security BCP.



The Security BCP already has some language around refresh tokens, but 
I haven't reviewed it in a while to see if all of these points might 
be already covered there.



If folks think the Browser BCP is the best place for this kind of 
thing I am definitely open to it, and I can work with David on the 
specific language to add.


- Aaron


-DW

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth






















					Reply via email to