<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">The points are valid and security can
be always improved, however sometimes improving security makes
things complicated with the not-so-big advantage... IMO admin
should always protect the machine to make sure that nobody
unauthorized has access to refresh tokens. And for the transport,
HTTPS should be always used. But feel free to create JIRA and we
will see...<br>
<br>
When user or client is deleted, all refresh/offline tokens will
defacto become invalid as well and can't be used anymore. You're
right that offline token is still valid after user logout. User
can revoke it manually in account management or admin can revoke
it in admin console. However refresh token is invalid after user
logout. All refresh/offline tokens for particular client can be
revoked by admin by set notBefore policy to now, which can be done
in admin console in "Revocation" tab of particular client.<br>
<br>
Marek<br>
<br>
On 07/10/15 04:27, Raghuram Prabhala wrote:<br>
</div>
<blockquote
cite="mid:710997604.1735164.1444184846487.JavaMail.yahoo@mail.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff; font-family:Courier
New, courier, monaco, monospace, sans-serif;font-size:13px">
<div id="yui_3_16_0_1_1444137442270_5147"><span
id="yui_3_16_0_1_1444137442270_5153">Very valid points Mike
and even I have similar concerns. But please do understand
that even if the refresh token is stolen or compromised,it
cannot be used by any client unless both the client_id and
client_secret are also compromised/stolen. But nevertheless,
it is a good practice to assume the worst and add in
protective measures to minimize the chances. </span></div>
<div id="yui_3_16_0_1_1444137442270_5147"><span><br>
</span></div>
<div id="yui_3_16_0_1_1444137442270_5147">Marek/Bill/Stian -
Even our organization is very particular that such potential
security issues be addressed. Can this be taken up? BTW I am
not sure if you have an API/End point to invalidate tokens for
those that are either compromised or must be invalidated as
either the user or client is no longer active. If you do not
have one then it is a good idea to make one available.</div>
<div id="yui_3_16_0_1_1444137442270_5147"><br>
</div>
<div id="yui_3_16_0_1_1444137442270_5147">Thanks,</div>
<div id="yui_3_16_0_1_1444137442270_5147">Raghu</div>
<br>
<div style="font-family: Courier New, courier, monaco,
monospace, sans-serif; font-size: 13px;"
id="yui_3_16_0_1_1444137442270_4970">
<div style="font-family: HelveticaNeue, Helvetica Neue,
Helvetica, Arial, Lucida Grande, sans-serif; font-size:
16px;" id="yui_3_16_0_1_1444137442270_4969">
<div dir="ltr" id="yui_3_16_0_1_1444137442270_4968">
<hr id="yui_3_16_0_1_1444137442270_5146" size="1"> <font
id="yui_3_16_0_1_1444137442270_4967" face="Arial"
size="2"> <b><span style="font-weight:bold;">From:</span></b>
"Kuznetsov, Mike" <a class="moz-txt-link-rfc2396E" href="mailto:mikhail.kuznetsov@hpe.com"><mikhail.kuznetsov@hpe.com></a><br>
<b><span style="font-weight: bold;">To:</span></b>
<a class="moz-txt-link-rfc2396E" href="mailto:keycloak-dev@lists.jboss.org">"keycloak-dev@lists.jboss.org"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:keycloak-dev@lists.jboss.org"><keycloak-dev@lists.jboss.org></a> <br>
<b><span style="font-weight: bold;">Cc:</span></b>
"Jagadevan, Kamal"
<a class="moz-txt-link-rfc2396E" href="mailto:kamalakannan.jagadevan@hpe.com"><kamalakannan.jagadevan@hpe.com></a> <br>
<b><span style="font-weight: bold;">Sent:</span></b>
Tuesday, October 6, 2015 4:34 PM<br>
<b><span style="font-weight: bold;">Subject:</span></b>
Re: [keycloak-dev] Same Refresh token can be used
multiple times to obtain access token<br>
</font> </div>
<div class="y_msg_container"
id="yui_3_16_0_1_1444137442270_4988"><br>
<div id="yiv9982859949">
<style>#yiv9982859949 #yiv9982859949 --
_filtered #yiv9982859949 {font-family:Wingdings;panose-1:5 0 0 0 0 0 0 0 0 0;}
_filtered #yiv9982859949 {panose-1:2 4 5 3 5 4 6 3 2 4;}
_filtered #yiv9982859949 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}
_filtered #yiv9982859949 {font-family:Consolas;panose-1:2 11 6 9 2 2 4 3 2 4;}
#yiv9982859949
#yiv9982859949 p.yiv9982859949MsoNormal, #yiv9982859949 li.yiv9982859949MsoNormal, #yiv9982859949 div.yiv9982859949MsoNormal
{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;color:black;}
#yiv9982859949 a:link, #yiv9982859949 span.yiv9982859949MsoHyperlink
{color:#0563C1;text-decoration:underline;}
#yiv9982859949 a:visited, #yiv9982859949 span.yiv9982859949MsoHyperlinkFollowed
{color:#954F72;text-decoration:underline;}
#yiv9982859949 pre
{margin:0in;margin-bottom:.0001pt;font-size:10.0pt;color:black;}
#yiv9982859949 p.yiv9982859949MsoListParagraph, #yiv9982859949 li.yiv9982859949MsoListParagraph, #yiv9982859949 div.yiv9982859949MsoListParagraph
{margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;font-size:11.0pt;color:black;}
#yiv9982859949 span.yiv9982859949EmailStyle18
{color:windowtext;}
#yiv9982859949 span.yiv9982859949EmailStyle19
{color:#1F497D;}
#yiv9982859949 span.yiv9982859949HTMLPreformattedChar
{font-family:Consolas;color:black;}
#yiv9982859949 span.yiv9982859949EmailStyle22
{color:#1F497D;}
#yiv9982859949 .yiv9982859949MsoChpDefault
{font-size:10.0pt;}
_filtered #yiv9982859949 {margin:1.0in 1.0in 1.0in 1.0in;}
#yiv9982859949 div.yiv9982859949WordSection1
{}
#yiv9982859949
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {font-family:Wingdings;}
_filtered #yiv9982859949 {font-family:Symbol;}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {font-family:Wingdings;}
_filtered #yiv9982859949 {font-family:Symbol;}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {font-family:Wingdings;}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
_filtered #yiv9982859949 {}
#yiv9982859949 ol
{margin-bottom:0in;}
#yiv9982859949 ul
{margin-bottom:0in;}
#yiv9982859949 </style>
<div id="yui_3_16_0_1_1444137442270_4991">
<div class="yiv9982859949WordSection1"
id="yui_3_16_0_1_1444137442270_4990">
<div class="yiv9982859949MsoNormal"
id="yui_3_16_0_1_1444137442270_4989"><span
style="color:windowtext;">Hello,</span></div>
<div class="yiv9982859949MsoNormal"
id="yui_3_16_0_1_1444137442270_4992"><span
style="color:windowtext;"> </span></div>
<div class="yiv9982859949MsoNormal"
id="yui_3_16_0_1_1444137442270_4994"><span
style="color:windowtext;"
id="yui_3_16_0_1_1444137442270_4993">The reason
I brought this up is that we are currently
working on migrating out authentication from a
commercially available product called Ping to
Keycloak. We noticed that Ping invalidates the
refresh token after it is used once, while
Keycloak does not.</span></div>
<div class="yiv9982859949MsoNormal"
id="yui_3_16_0_1_1444137442270_5100"><span
style="color:windowtext;"> </span></div>
<div class="yiv9982859949MsoNormal"
id="yui_3_16_0_1_1444137442270_5050"><span
style="color:windowtext;"
id="yui_3_16_0_1_1444137442270_5049">I and my
colleague, Kamal are concerned that by not
invalidating the refresh token after first use,
we may be opening a security hole. While SSL may
protect the token in transit, we can see a
scenario where the refresh token would be
compromised or stolen from the client itself. In
this case, the stolen refresh token could be
used to get new access tokens without the owner
of the client machine knowing.
</span></div>
<div class="yiv9982859949MsoNormal"
id="yui_3_16_0_1_1444137442270_5051"><span
style="color:windowtext;"> </span></div>
<div class="yiv9982859949MsoNormal"
id="yui_3_16_0_1_1444137442270_5053"><span
style="color:windowtext;"
id="yui_3_16_0_1_1444137442270_5052">However, if
the behavior was changed so that the refresh
token could only be used once, then either:</span></div>
<div class="yiv9982859949MsoListParagraph" style=""
id="yui_3_16_0_1_1444137442270_5055"><span
style="color:windowtext;"><span style="">1.<span
style="font:7.0pt;">
</span></span></span><span
style="color:windowtext;"
id="yui_3_16_0_1_1444137442270_5054">If the
owner of the client machine would use the
refresh token first, then the stolen refresh
token could not be used</span></div>
<div class="yiv9982859949MsoListParagraph" style=""
id="yui_3_16_0_1_1444137442270_5057"><span
style="color:windowtext;"><span style="">2.<span
style="font:7.0pt;">
</span></span></span><span
style="color:windowtext;"
id="yui_3_16_0_1_1444137442270_5056">If the
stolen refresh token would be used first, then
the client machine would not be able to use it
and the user of that client machine could be
alerted that something was wrong. This user
could then reset their password or invalidate
all of their access and refresh tokens.</span></div>
<div class="yiv9982859949MsoNormal"
id="yui_3_16_0_1_1444137442270_5348"><span
style="color:windowtext;"> </span></div>
<div class="yiv9982859949MsoNormal"
id="yui_3_16_0_1_1444137442270_5097"><span
style="color:windowtext;"
id="yui_3_16_0_1_1444137442270_5096">Furthermore,
we are concerned about this same scenario, but
with the offline token. My understanding is that
the offline token does not expire and that it
can’t be invalidated by logging out the user or
changing the user’s password. Have you thought
about this scenario?</span></div>
<div class="yiv9982859949MsoNormal"
id="yui_3_16_0_1_1444137442270_5098"><span
style="color:#1F497D;"> </span></div>
<div class="yiv9982859949MsoNormal"
id="yui_3_16_0_1_1444137442270_5099">Thank You,</div>
<div class="yiv9982859949MsoNormal"
id="yui_3_16_0_1_1444137442270_5139"><span
style="font-size:9.0pt;"><br clear="none">
</span><b><span style="font-size:10.0pt;">Mikhail
Kuznetsov</span></b></div>
<div class="yiv9982859949MsoNormal"><span
style="font-size:9.0pt;">Software Engineer</span></div>
<div class="yiv9982859949MsoNormal"><span
style="font-size:9.0pt;">Hewlett Packard
Enterprise</span></div>
<div class="yiv9982859949MsoNormal"><span
style="color:#1F497D;"> </span></div>
<div class="qtdSeparateBR"><br>
<br>
</div>
<div class="yiv9982859949yqt6340486090"
id="yiv9982859949yqt14995">
<div id="yui_3_16_0_1_1444137442270_5006">
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in;"
id="yui_3_16_0_1_1444137442270_5005">
<div class="yiv9982859949MsoNormal"
id="yui_3_16_0_1_1444137442270_5004"><b><span
style="color:windowtext;">From:</span></b><span
style="color:windowtext;"
id="yui_3_16_0_1_1444137442270_5003">
Marek Posolda [<a class="moz-txt-link-freetext" href="mailto:mposolda@redhat.com">mailto:mposolda@redhat.com</a>]
<br clear="none">
<b>Sent:</b> Tuesday, October 06, 2015
1:16 PM<br clear="none">
<b>To:</b> Raghu Prabhala<br clear="none">
<b>Cc:</b> Kuznetsov, Mike;
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br
clear="none">
<b>Subject:</b> Re: [keycloak-dev] Same
Refresh token can be used multiple times
to obtain access token</span></div>
</div>
</div>
<div class="yiv9982859949MsoNormal"> </div>
<div id="yui_3_16_0_1_1444137442270_5008">
<div class="yiv9982859949MsoNormal"
id="yui_3_16_0_1_1444137442270_5007">Hi Raghu,<br
clear="none">
<br clear="none">
>From the specs, it looks to me that this
is not anything mandatory. The paragraph is
starting "For example". Feel free to create
JIRA, but I personally can't promise anything
regarding this...<br clear="none">
<br clear="none">
Marek<br clear="none">
<br clear="none">
<br clear="none">
On 06/10/15 17:37, Raghu Prabhala wrote:<span
style="font-size:12.0pt;"></span></div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt;"
id="yui_3_16_0_1_1444137442270_5011">
<div>
<div class="yiv9982859949MsoNormal">Hi Marek -
section 10.4 of rfc6749 mentions that the
prior refresh token should be invalidated
but retained by the server - to handle
compromise of refresh tokens as they are
long lived. </div>
</div>
<div id="yiv9982859949AppleMailSignature">
<div class="yiv9982859949MsoNormal"> </div>
</div>
<div id="yiv9982859949AppleMailSignature">
<div class="yiv9982859949MsoNormal">Thanks,</div>
</div>
<div id="yiv9982859949AppleMailSignature">
<div class="yiv9982859949MsoNormal">Raghu<br
clear="none">
<br clear="none">
Sent from my iPhone</div>
</div>
<div id="yui_3_16_0_1_1444137442270_5010">
<div class="yiv9982859949MsoNormal"
style="margin-bottom:12.0pt;"
id="yui_3_16_0_1_1444137442270_5009"><br
clear="none">
On Oct 6, 2015, at 10:53 AM, Marek Posolda
<<a moz-do-not-send="true" rel="nofollow"
shape="rect"
ymailto="mailto:mposolda@redhat.com"
target="_blank"
href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>>
wrote:</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt;">
<div>
<div>
<div class="yiv9982859949MsoNormal">You're
right, same refresh token can be used
more times. However it is still better
to use refresh token R2 in your step 3
instead of using old refresh token R1
because R2 has updated timestamp (each
token is valid just for 30 minutes or
so, depends on the configured SSO
session idle timeout).<br clear="none">
<br clear="none">
Or are you referring that this is
security issue and potential possibility
to Man in the middle? If you use HTTPS
(which is recommended for production
environment, and especially if you have
unsecured/untrusted networkl), this
shouldn't be an issue.<br clear="none">
<br clear="none">
Marek<br clear="none">
<br clear="none">
On 06/10/15 16:34, Kuznetsov, Mike
wrote:</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt;">
<div class="yiv9982859949MsoNormal">Hello,</div>
<div class="yiv9982859949MsoNormal"> </div>
<div class="yiv9982859949MsoNormal">I
noticed that with Keycloak, it seems
that refresh tokens are still valid
after they are used once. This means
that Keycloak does
<b>not</b> invalidate Refresh Tokens
after they have been used once.</div>
<div class="yiv9982859949MsoNormal"> </div>
<div class="yiv9982859949MsoNormal">I am
able to successfully execute the
following flow:</div>
<div class="yiv9982859949MsoListParagraph"
style=""><span style="">1.<span
style="font:7.0pt;">
</span></span>Obtain Access Token (A1)
and Refresh Token (R1)</div>
<div class="yiv9982859949MsoListParagraph"
style=""><span style="">2.<span
style="font:7.0pt;">
</span></span>Use Refresh Token (R1)
to obtain new Access Token (A2) and
Refresh Token (R2)</div>
<div class="yiv9982859949MsoListParagraph"
style=""><span style="">3.<span
style="font:7.0pt;">
</span></span>Use same Refresh Token
(R1) again to obtain new Access Token
(A3) and Refresh Token (R3)</div>
<div class="yiv9982859949MsoNormal"> </div>
<div class="yiv9982859949MsoNormal"> </div>
<div class="yiv9982859949MsoNormal">Can
you please tell me if this is the
intended functionality?</div>
<div class="yiv9982859949MsoNormal"> </div>
<div class="yiv9982859949MsoNormal">Thank
You,</div>
<div class="yiv9982859949MsoNormal"><span
style="font-size:9.0pt;"><br
clear="none">
</span><b><span
style="font-size:10.0pt;">Mikhail
Kuznetsov</span></b></div>
<div class="yiv9982859949MsoNormal"><span
style="font-size:9.0pt;">Software
Engineer</span></div>
<div class="yiv9982859949MsoNormal"><span
style="font-size:9.0pt;">Hewlett
Packard Enterprise</span></div>
<div class="yiv9982859949MsoNormal"> </div>
<div class="yiv9982859949MsoNormal"><span
style="font-size:12.0pt;"><br
clear="none">
<br clear="none">
<br clear="none">
</span></div>
<pre>_______________________________________________</pre>
<pre>keycloak-dev mailing list</pre>
<pre><a moz-do-not-send="true" rel="nofollow" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org" target="_blank" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></pre>
<pre><a moz-do-not-send="true" rel="nofollow" shape="rect" target="_blank" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<div class="yiv9982859949MsoNormal"><span
style="font-size:12.0pt;"> </span></div>
</div>
</blockquote>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt;">
<div>
<div class="yiv9982859949MsoNormal"><span
style="font-size:12.0pt;">_______________________________________________<br
clear="none">
keycloak-dev mailing list<br
clear="none">
<a moz-do-not-send="true" rel="nofollow"
shape="rect"
ymailto="mailto:keycloak-dev@lists.jboss.org"
target="_blank"
href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br
clear="none">
<a moz-do-not-send="true" rel="nofollow"
shape="rect" target="_blank"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></span></div>
</div>
</blockquote>
</blockquote>
</div>
<div class="yiv9982859949MsoNormal"><span
style="font-size:12.0pt;"> </span></div>
</div>
</div>
</div>
<br>
<div class="yqt6340486090" id="yqt36874">_______________________________________________<br
clear="none">
keycloak-dev mailing list<br clear="none">
<a moz-do-not-send="true" shape="rect"
ymailto="mailto:keycloak-dev@lists.jboss.org"
href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br
clear="none">
<a moz-do-not-send="true" shape="rect"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></div>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</body>
</html>