Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

We need to reconsider whether to support refresh tokens. #410

Closed
ara4n opened this issue Jan 8, 2019 · 3 comments
Closed

We need to reconsider whether to support refresh tokens. #410

ara4n opened this issue Jan 8, 2019 · 3 comments
Labels
A-Client-Server Issues affecting the CS API enhancement A suggestion for a relatively simple improvement to the protocol

Comments

@ara4n
Copy link
Member

ara4n commented Jan 8, 2019

We removed refresh tokens from the spec in matrix-org/matrix-spec-proposals#1204 because a) nothing had implemented them despite them being specced for a year or so, b) there were doubts on whether they actually provided much benefit.

Since then, we've become aware of at least 2 projects built on Matrix who have chosen to re-add refresh tokens in their implementations as a custom addition to the protocol. The rationale is to avoid you ending up leaving a potential trail of access_tokens all over the place (e.g. in client local storage; http logs; server DBs; shell history) which have an infinite lifespan unless explicitly expired, and so could be used to compromise your account if discovered by an attacker even if they were years old.

Instead, if access_tokens had a finite life, and instead the server could expire them on demand and require the client to present a one-time use refresh_token to claim a new access_token, then old access_tokens left lying around the place become a lot less useful... and likewise old refresh_tokens. The attacker would have to intercept both the current refresh_token and access_token to compromise an account, and given refresh_tokens would be rarely used (unlike access_tokens, which decorate every request), this feels like it might provide a modest improvement in security.

@ara4n
Copy link
Member Author

ara4n commented Jan 8, 2019

@richvdh says:

though I think that if we're worrying about the security of access tokens, switching to a mac-based system instead of bearer tokens would give a better return on investment

@turt2live turt2live added the enhancement A suggestion for a relatively simple improvement to the protocol label Jan 9, 2019
@turt2live turt2live added the A-Client-Server Issues affecting the CS API label Feb 6, 2019
@richvdh
Copy link
Member

richvdh commented Jun 8, 2020

@richvdh says:

though I think that if we're worrying about the security of access tokens, switching to a mac-based system instead of bearer tokens would give a better return on investment

OAuth2 apparently reached the opposite conclusion...

Anyway, if we're doing this, we might go the whole hog and switch to OAuth2: https://github.com/matrix-org/matrix-doc/issues/2615

@richvdh richvdh transferred this issue from matrix-org/matrix-spec-proposals Mar 1, 2022
@richvdh
Copy link
Member

richvdh commented Jun 9, 2022

I think this is fixed by MSC2918 and #1056.

@richvdh richvdh closed this as completed Jun 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-Client-Server Issues affecting the CS API enhancement A suggestion for a relatively simple improvement to the protocol
Projects
None yet
Development

No branches or pull requests

3 participants