V51 - OAuth - sender-contrained refresh tokens #2110
Comments
I'm wondering whether it would make sense to require the usage of sender-constrained refresh tokens (as opposed to refresh token rotation) in L3.
Maybe, this does not really matter in this verification but would be the object of another verification (?). Even if public clients are disallowed in L3, you would still want to have (because some L3 applications won't be 100% conformant from day one):
|
tghosth
added
1) Discussion ongoing
|
We must be aligned with proposal from #2038
|
|
Verify that refresh tokens for public clients are either sender-constrained, using DPoP or Certificate-Bound Access Tokens (mTLS), or use refresh token rotation to mitigate refresh token replay attacks. (L1, L2, L3)
The refresh-refresh pattern by itself is more of intrusion detection as opposed to attack mitigation. The other defenses force me to have full access to the client. Refresh refresh does not. If I can steal an active refresh token there is no other sender constraint that prevents me from using it. Only stealing am expired refresh token asserts the defense.
I suggest recommending (DPoP AND refresh-refresh) or (mTLS AND refresh-refresh) as opposed to recommending refresh-refresh as an alternative to the other defenses.
|
From OAuth 2.1 and FAPI 2, as far as I understand, refresh-token misuse is primary mitigated by client authentication for confidential clients. So, L3 is covered by requiring confidential clients (with strong authentication methods) and client authentication for all token requests (#2009) For public clients (which I think needs to be allowed for L1 and L2) OAuth 2.1 states: Either DPoP/mTLS or Refresh-token rotation. Which was the intent to capture with
But e g FAPI 2 notes that refresh-token rotation is a weaker mitigation (and sometimes problematic), so, as I think @jmanico suggests, ASVS should reflect this and more clearly recommend DPoP or mTLS over just rotation, correct? Perhaps like this
|
@randomstuff - any further feedback or need for changes? |
|
I think that requiring sender-constrained tokens even for L1 is a little drastic. Using sender-constrained access tokens all the time is a good idea but I'm not sure this matches much with the current state of software/frameworks, etc. This might therefore be a little too much for L1? |
|
I agree with that. To this direction?
|
|
Maybe:
|
Actually, I noticed that this conflicts with DPoP:
The existing mechanism being client authentication. |
Well actually no, it does not because of "public clients" 🤦 |
|
So, all good or need for changes? |
|
Current 51.2.4:
For refresh token rotation - we should require revoking previous refresh token, as decribed in: |
I was going to say that this is implied in "refresh token rotation" but actually that's not true. So you are right! 👍 |
|
Proposal for add-on to the current requirement 51.2.4:
"for that authorization" should be thought carefully - is it correct and is it understandable? |
I think the word we are looking for is the same we are discussing in #1968. |
|
@elarlang, Yes, I think "authorization" if probably the better word. See these snippets from the Oauth 2.1 draft:
Ad discussed in #1968, grant could be used to have a similar meaning of "granted authorization" but in OAuth it is always used to mean "authorization grant" which is some concrete representation of a granted authorization (such as a refresh token or an authorization code). |
|
Wording nitpick: " If the refresh token rotation is used" → " If refresh token rotation is used"? Otherwise LGTM. |
elarlang
added
the
5) awaiting PR
elarlang
added
6) PR awaiting review
and removed
4) proposal for review
|
A little late...but the way I read 51.2.4 now, it is hard to understand that sender-constrained should be used (if possible) since that is a stronger mitigation than rotation. For L3 that is somewhat clear since rotation as mitigation is only for L1 and L2, but for L1 and L2 we seem to suggest that they are equally strong mitigations, that it doesn´t matter which one you choose. Perhaps this is more clear, but a bit long?
|
|
What about something such as:
|
|
One more version:
|
|
elarlang
added
the
4) proposal for review
|
Yet another version (mix of the two)
But I think I like the one from @randomstuff better |
elarlang
added
6) PR awaiting review
and removed
4) proposal for review
|
Is there any need for a requirement about DPoP proof replay attacks? |
|
Updated via #2170
|
seems like a separate requirement and worth a separate issue? |
|
ping @randomstuff |
|
I opened this issue about DPoP proof replay attack #2188 |
Spin-off from #2040 (comment)
The proposal updates the requirement we already have as 51.2.4
For how many levels we allow "public clients"?
And we have a separate discussion/requirement for confidential clients in #2109
The text was updated successfully, but these errors were encountered: