Ok, I'm creating a new posting for this feedback. :) Here's where I probably just need some enlightenment, so please help me out.
Re 8. Refresh Tokens "For public clients, the risk of a leaked refresh token is much greater than leaked access tokens, since an attacker can potentially continue using the stolen refresh token to obtain new access without being detectable by the authorization server. " (first, note the typo "stoken".) Is it always "higher risk"? I could even argue that leakage of a refresh token is lower risk. As a bearer document, a leaked access token allows access to resources until it expires. A leaked refresh token, to be useful, requires an exchange with the AS, and the AS would have the opportunity to check whether the refresh token is still valid (has not been revoked). (of course revocation might NOT have happened, but then again, it might have.) Furthermore, since the access token is transmitted to other servers, the risk of exposure is greater, due to possible vulnerabilities in those called systems (e.g., logs). Isn't this the reason that we have refresh tokens? Don't refresh tokens exist because access tokens should have short TTL, because they are widely distributed? "Additionally, browser-based applications provide many attack vectors by which a refresh token can be leaked." The risks of leaking a refresh token from the browser are identical to the risks of leaking an access token, right? This sentence could be changed to "... by which *a token* can be leaked." A refresh token is "higher risk" because its TTL is usually greater than the access token's TTL. But if our advice here leads to people using longer-lived access tokens (because of the problems with getting a new access token without involving the user), then the advice will be counter productive. The longer life gives more time for the usefulness of a browser-side theft, and more time for the usefulness of a server-side theft. Which scenario is safer? A) using an access token with a 10 minute TTL, accompanied by a refresh token with a 1 hour TTL B) using an access token with a 1 hour TTL, and no refresh token. I'd say that A is safer. (Unless, when the refresh token is used, a new refresh token is issued, the NEW refresh token gets another 1 hour. If this is the case, one could maintain refresh tokens infinitely. Is this point addressed somewhere?)
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
