Closed jbasney closed 1 year ago
Re-reading https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.13 (Refresh Token Protection in OAuth 2.0 Security Best Current Practice, still a draft), however, refresh token rotation is specifically recommended for public clients. See also https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05#section-4.3 (Refresh Token Grant in The OAuth 2.1 Authorization Framework, again still a draft). This is not to say that refresh tokens should not expire also for confidential clients, but there is no need to be very aggressive.
I opened an issue against oidc-agent, to clarify it's support for refresh token rotation.
Gabriel gave an extensive and detailed reply, providing information on what is possible right now and what might be possible in the future.
I won't try to summarise the information beyond saying "it is possible to support RT rotation right now", which (I think) goes against perceived wisdom. The interested reader is invited to peruse the above issue for more details.
https://www.rfc-editor.org/rfc/rfc6819.html#section-5.2.2.3 says:
CILogon currently implements this. We've found that some clients ignore the new refresh token and try to keep using the old refresh token, which I believe is a violation of https://www.rfc-editor.org/rfc/rfc6749.html#section-6 which says:
Since I think the IAM default behavior is to never expire refresh tokens, the clients can ignore the new refresh tokens and still work successfully against IAM, which may cause problems when WLCG configures IAM to implement the 30 day maximum lifetime on refresh tokens as specified in the profile.
See the March 2022 thread about "Refresh token lifetime, renewal, revocation" on project-lcg-authz@cern.ch for additional context, including a discussion of current oidc-agent behavior.
It'd be helpful if the profile addressed the following topics: