BTW, as I'm working it into the document, these are all great reasons to recommend client authentication, but not to require it. You should clearly require it if you are going to implement all these protections, but at the same time, we clearly have use cases (pretty much from every major provider represented here) to issue refresh tokens to public clients (native apps, etc.) which cannot authenticate.
I feel we have been burying our head in the sand for too long about the true requirements and deployment of client authentication. I'm hoping -17 will offer a reasonable fix. EHL From: [email protected] [mailto:[email protected]] On Behalf Of Eran Hammer-Lahav Sent: Wednesday, July 06, 2011 10:20 PM To: Brian Eaton Cc: OAuth WG Subject: Re: [OAUTH-WG] Client authentication requirement Very helpful. EHL From: Brian Eaton [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Thursday, June 16, 2011 8:38 AM To: Eran Hammer-Lahav Cc: Brian Campbell; OAuth WG Subject: Re: [OAUTH-WG] Client authentication requirement On Wed, Jun 15, 2011 at 6:19 PM, Eran Hammer-Lahav <[email protected]<mailto:[email protected]>> wrote: Your comment was that having client authentication makes it easier to recovery from an attack. I don't understand how the comments below about changing client secrets every 30 days are relevant. Are you suggesting to wait until the next routine secret cycle to revoke compromised credentials? Or that 30 days is a reasonable time period for ignoring an attack? Sorry, there are multiple good reasons to require client authentication for the access token endpoint. - if you need to recover from a compromise, changing the client credentials will prevent the attacker from abusing refresh tokens they have stolen. Changing a single client credential is much faster than revoking lots of refresh tokens. - if you want to follow best practices for management of authentication credentials, you should do periodic key rotation. Rotation of lots of refresh tokens is quite challenging. Rotation of client credentials is much easier. - if you want to bind refresh tokens to stronger authentication credentials, such as private keys stored in an HSM, you need to require client authentication when using the refresh token. Is that helpful? Cheers, Brian
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
