For any of you at RSA, there will be an On-Demand Peer-to-Peer meeting for anyone interested in Mash SSL. It will be held in Burgundy 220 from 2:10 to 3:00 tomorrow.
Ben
Benjamin T. Wilson, JD CISSP
General Counsel and SVP Industry Relations
DigiCert, Inc.
Online: www.DigiCert.com
Email: b...@digicert.com
Toll Free: 1-800-896-7973 (US & Canada)
Direct: 1-801-701-9678
Fax: 1-866-842-0223 (Toll Free if calling from the US or Canada)
The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Thank You
I think the Refresh token may be intended to solve that, but I would like
to understand what additional security it provides over just an access
token with a long expiry. I can speculate but would like to hear the real
security considerations and intentions behind the refresh token
Mark McGloin
If you send long-lived access tokens to servers, those servers need to
constantly make RPCs to a central backend to check whether the user
has revoked access.
If you send short-lived access tokens that are periodically refreshed,
you reduce the number of calls you need to make to central backends.
The access tokens can be statically verified.
Cheers,
Brian
--
You received this message because you are subscribed to the Google Groups "OAuth WRAP WG" group.
To post to this group, send email to oauth-...@googlegroups.com.
To unsubscribe from this group, send email to oauth-wrap-w...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/oauth-wrap-wg?hl=en.
Yes. Some systems need to optimize this check, and it's much easier
to optimize if the tokens are short-lived. Bloom filters and
cryptography both come in useful.
Cheers,
Brian
Cheers,
Brian
Cheers,
Brian
To unsubscribe from this group, send email to oauth-wrap-w...@googlegroups.com <mailto:oauth-wrap-wg%2Bunsu...@googlegroups.com> .
To unsubscribe from this group, send email to oauth-wrap-w...@googlegroups.com.
Imagine that the protected resource is a replicated service behind a
load balancer. Which of the umpteen machines do you tell that the
token is revoked? If you tell all of them, what do you do when one is
down or unreachable? Does every protected resource server keep track
individually of the issued tokens? How do you get them back in sync
when they disagree?
> Isn't that simpler than all the traffic of
> refreshing short-lived tokens or having the Protected Resource continually
> check?
No, it isn't. =)
Cheers,
Brian
-- Dick
--------------
Alan Karp
Load balancers don't typically operate at this level.
> If checking against the list of
> revoked tokens is too much work for the load balancer, it can make
> sure all workers have a current copy of the list.
OK, let's assume
a) tokens never expire
b) but can be revoked
c) something keeps a list of all revoked tokens
That requires infinite storage. It's a CRL for certificates that never expire.
Cheers,
Brian
1. If tokens are going to be contain signed material (such that an PR
can validate the token on its face against the resource(s) it's
protecting) then you're in the same problem space as PKI: trust,
certification, expiration, revocation, renewal.
2. If a token is meant to protect more than one resource, then there is
a scoping issue, as client and AS need to prearrange what resources it
will be requiring access to, in order to have the token scoped to those
resources.
3. If a token is going to be long-lived, you're going to need to handle
the case of' revoking a token to disable authorization should it be
invalidated before it is due to expire.
4. If a token is going to be short-lived, you're going to need to
refresh it frequently to maintain an active one, this will increase
overall burden on client and AS to handle frequently-issued,
properly-scoped access tokens.
5. If a PR is going to back-channel somewhere to check for token
revocation, you might as well just use a completely opaque token and
have the RP go back-channel to check its authorization against the
resources being requested (a la PEP-PDP model). This avoids a great deal
of the PKI (and scoping!) requirements that prima facie, STS-style token
validation incurs.
Paul
Nobody said anything about no expiration, just long-lived.
--------------
Alan Karp
Sure, if you assume you can do high-availability, low-latency,
replicated server-side state that can handle the same number of
queries per second as all of the services that rely on it, the problem
is easy. But that's not always practical.
Once deployments decide that they can't meet one of those assumptions,
they tend to turn towards cryptography to optimize in one direction or
another.
The result is protocols like Kerberos, or WRAP, or the SAML browser
POST profile, or OpenID.
Cheers,
Brian