Hi all,
I discussed OAuth with some of the security experts here at Deutsche
Telekom. We came up w/ an idea for enhancing refresh token handling I
would like to discuss in the WG.
Assumption: refresh tokens have a very long duration (month to
unlimited) and are stored at the client in a pers
Hi Torsten,
Thanks for posting this idea - I think that issuing a new Refresh Token (and
invalidating the old one) on every refresh request would help detect token
theft.
HOWEVER - in practice, this mechanism could make implementations very
tricky. For example, some applications are highly distr
Hi Allen,
Am 03.05.2010 18:55, schrieb Allen Tom:
Hi Torsten,
Thanks for posting this idea - I think that issuing a new Refresh Token (and
invalidating the old one) on every refresh request would help detect token
theft.
HOWEVER - in practice, this mechanism could make implementations very
tri
On Tue, May 4, 2010 at 11:32 AM, Torsten Lodderstedt
wrote:
> Am 03.05.2010 18:55, schrieb Allen Tom:
>> Invalidating the Refresh Token (and presumably also invalidating any
>> outstanding Access Tokens) would make sense as an option for applications
>> that require a high level of security. Howev
Am 04.05.2010 21:44, schrieb Marius Scurtescu:
On Tue, May 4, 2010 at 11:32 AM, Torsten Lodderstedt
wrote:
Am 03.05.2010 18:55, schrieb Allen Tom:
Invalidating the Refresh Token (and presumably also invalidating any
outstanding Access Tokens) would make sense as an option for applic
age-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Torsten Lodderstedt
> Sent: Wednesday, May 05, 2010 12:28 PM
> To: Marius Scurtescu
> Cc: OAuth WG (oauth@ietf.org)
> Subject: Re: [OAUTH-WG] Refresh tokens security enhancement
>
> Am 04.05
, 2010 12:28 PM
To: Marius Scurtescu
Cc: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Refresh tokens security enhancement
Am 04.05.2010 21:44, schrieb Marius Scurtescu:
On Tue, May 4, 2010 at 11:32 AM, Torsten Lodderstedt
wrote:
Am 03.05.2010 18:55, schrieb Allen Tom
esh token.
> >
> > EHL
> >
> >
> >> -Original Message-
> >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On
> >> Behalf Of Torsten Lodderstedt
> >> Sent: Wednesday, May 05, 2010 12:28 PM
> >> To: Marius
