OAuth token revocation on password change
576 views
Skip to first unread message
Rob Allen
Feb 20, 2013, 3:14:28 AM2/20/13
to joindin-d...@googlegroups.com
Hi all,
I've just read http://inessential.com/2013/02/19/security_bug_ and he makes the good point that if you change your password on a web site, you expect all apps you had previously authorised to require re-authorisation.
Is joind.in's v2 API susceptible to this mismatch of expectation?
I also saw a suggestion that whenever an app is authorised to use the API, a notification email should be sent to the registered email address, just in case the authorisation was unexpected. I have no idea if we do this or not either, but I think it's a good idea too.
Any thoughts, anyone?
Rob...
I've just read http://inessential.com/2013/02/19/security_bug_ and he makes the good point that if you change your password on a web site, you expect all apps you had previously authorised to require re-authorisation.
Is joind.in's v2 API susceptible to this mismatch of expectation?
I also saw a suggestion that whenever an app is authorised to use the API, a notification email should be sent to the registered email address, just in case the authorisation was unexpected. I have no idea if we do this or not either, but I think it's a good idea too.
Any thoughts, anyone?
Rob...
Lorna Mitchell
Feb 25, 2013, 4:07:37 AM2/25/13
to joindin-d...@googlegroups.com
I disagree. OAuth is all about keeping the relationships between the user, the provider, and the various consumers quite separate. If the user changes their password, that only affects one of those relationships and should not revoke all the app permissions for consumers - those can be revoked separately at any time, and you exactly *don't* have to change your password to remove those rights from one or more third party apps.
--
Lorna Mitchell
http://lornajane.net
I don't believe that the user would expect the consumer accesses to be revoked - twitter, for example, does not revoke app permissions when you change your password.
Regards
Lorna
On 25 February 2013 07:04, <*@davidstockton.com> wrote:
I agree that it's important and if we're not de-authing apps on password change and sending emails regarding password changes (and email address changes) we should also be doing that as well. We should also send email notifications of new app auths as well.I guess the next steps are to determine which, if any, we're doing.David
--
You received this message because you are subscribed to the Google Groups "joindin-developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joindin-develop...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Lorna Mitchell
http://lornajane.net
Rob Allen
Feb 25, 2013, 8:53:31 AM2/25/13
to joindin-d...@googlegroups.com
Hi,
I would be interested to know how many consumers think like that. Certainly, it had never crossed my mind before that article to check my list of authorised apps on Twitter in case a rogue one had been added. I had also assumed that changing my password on Twitter made my account secure which is also a wrong assumption.
I do think that we should email the user if a new app is authorised on their account, just in case it they didn't do it.
I can see an argument that we should send an email to the old email address if the account's email address is changed too.
Fascinating subject.
Regards,
Rob...
On 25 Feb 2013, at 09:07, Lorna Mitchell <lorna.m...@gmail.com> wrote:
> I disagree. OAuth is all about keeping the relationships between the user, the provider, and the various consumers quite separate. If the user changes their password, that only affects one of those relationships and should not revoke all the app permissions for consumers - those can be revoked separately at any time, and you exactly *don't* have to change your password to remove those rights from one or more third party apps.
>
> I don't believe that the user would expect the consumer accesses to be revoked - twitter, for example, does not revoke app permissions when you change your password.
>
> Regards
>
> Lorna
>
>
>
> On 25 February 2013 07:04, <*@davidstockton.com> wrote:
> I agree that it's important and if we're not de-authing apps on password change and sending emails regarding password changes (and email address changes) we should also be doing that as well. We should also send email notifications of new app auths as well.
>
> I guess the next steps are to determine which, if any, we're doing.
>
> David
>
> On Wednesday, February 20, 2013 1:14:28 AM UTC-7, Rob Allen wrote:
> Hi all,
>
> I've just read http://inessential.com/2013/--
>
>
> Rob...
>
I would be interested to know how many consumers think like that. Certainly, it had never crossed my mind before that article to check my list of authorised apps on Twitter in case a rogue one had been added. I had also assumed that changing my password on Twitter made my account secure which is also a wrong assumption.
I do think that we should email the user if a new app is authorised on their account, just in case it they didn't do it.
I can see an argument that we should send an email to the old email address if the account's email address is changed too.
Fascinating subject.
Regards,
Rob...
On 25 Feb 2013, at 09:07, Lorna Mitchell <lorna.m...@gmail.com> wrote:
> I disagree. OAuth is all about keeping the relationships between the user, the provider, and the various consumers quite separate. If the user changes their password, that only affects one of those relationships and should not revoke all the app permissions for consumers - those can be revoked separately at any time, and you exactly *don't* have to change your password to remove those rights from one or more third party apps.
>
> I don't believe that the user would expect the consumer accesses to be revoked - twitter, for example, does not revoke app permissions when you change your password.
>
> Regards
>
> Lorna
>
>
>
> On 25 February 2013 07:04, <*@davidstockton.com> wrote:
> I agree that it's important and if we're not de-authing apps on password change and sending emails regarding password changes (and email address changes) we should also be doing that as well. We should also send email notifications of new app auths as well.
>
> I guess the next steps are to determine which, if any, we're doing.
>
> David
>
> On Wednesday, February 20, 2013 1:14:28 AM UTC-7, Rob Allen wrote:
> Hi all,
>
> You received this message because you are subscribed to the Google Groups "joindin-developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to joindin-develop...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
> To unsubscribe from this group and stop receiving emails from it, send an email to joindin-develop...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
> 02/19/security_bug_ and he makes the good point that if you change your password on a web site, you expect all apps you had previously authorised to require re-authorisation.
>
> Is joind.in's v2 API susceptible to this mismatch of expectation?
>
>
>
> Any thoughts, anyone?
>
> Is joind.in's v2 API susceptible to this mismatch of expectation?
>
>
>
>
>
> Rob...
>
Stefan Koopmanschap
Feb 25, 2013, 9:00:55 AM2/25/13
to joindin-d...@googlegroups.com
I do think that we should email the user if a new app is authorised on their account, just in case it they didn't do it.
Yes, this seems very useful.
I can see an argument that we should send an email to the old email address if the account's email address is changed too.
This is what big companies like eBay do as well, they even have a link
in the e-mail to the old e-mailaddress that allows to revert the change
(within a certain time frame I believe), so that if an account gets
hacked and the e-mailaddress is changed, the user can revert that change
themselves if need be.
Stefan
Stefan
Marc Towler
Feb 25, 2013, 10:47:48 AM2/25/13
to joindin-d...@googlegroups.com
I ageee that emailing a user when a new application is authorised
Sent from Samsung Mobile on O2
-------- Original message --------
From: Rob Allen <r...@akrabat.com>
Date:
To: joindin-d...@googlegroups.com
Subject: Re: [joindin-developers] OAuth token revocation on password change
Hi,
I would be interested to know how many consumers think like that. Certainly, it had never crossed my mind before that article to check my list of authorised apps on Twitter in case a rogue one had been added. I had also assumed that changing my password on Twitter made my account secure which is also a wrong assumption.
I do think that we should email the user if a new app is authorised on their account, just in case it they didn't do it.
I can see an argument that we should send an email to the old email address if the account's email address is changed too.
Kevin Bowman
Feb 25, 2013, 6:06:24 PM2/25/13
to joindin-d...@googlegroups.com
I must confess, I'd always assumed that tokens would not be revoked on password change, largely because they're a different entity and I don't mentally link them, and the inconvenience of re-auth'ing my apps is just annoying. I also think that that's a good thing - I can easily revoke the tokens if I want to, but when I changed my password I wasn't trying to revoke the tokens. I would understand, however, if after changing my password I was offered a 1-click "Do you also want to revoke all of your access tokens?" option for convenience.
Doing some research, it looks like Facebook do revoke their tokens on password change (at least for perpetual offline_access tokens, it's a little hard to find info about it), however Twitter just invites you to review your authorized apps (which is good practice to do periodically anyway). I agree that emailing users whenever their email address or their authorized apps changes is a good thing.
The OAuth 2 spec doesn't seem to make reference to this scenario, however the OAuth 1 spec says:
"""
The purpose of the
token is to make it unnecessary for the resource owner to share its
credentials with the client. Unlike the resource owner credentials,
tokens can be issued with a restricted scope and limited lifetime,
and revoked independently.
"""
On balance, I think that the Twitter model is reasonable where if a user has authorized apps then after they reset their password they should be invited to review / revoke their apps.
Just my tuppence.
Kevin
Reply all
Reply to author
Forward
0 new messages