<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.yiv2550815952
{mso-style-name:yiv2550815952;}
span.yiv2550815952hoenzb
{mso-style-name:yiv2550815952hoenzb;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas",serif;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1315569848;
mso-list-template-ids:1573020912;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">As advised earlier, I have put a JIRA ticket for this issue:
<a href="https://issues.jboss.org/browse/KEYCLOAK-1961">https://issues.jboss.org/browse/KEYCLOAK-1961</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">We are excited to start using Keycloak to support our product, but right now we are blocked due to this issue because it has been flagged by our security team
when they were reviewing our design.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Over the past few days, we have tried to overcome this issue by trying to revoke either the specific access token / refresh token if it is used more than once,
or trying to revoke all the tokens for the user. However, we were unable to find a mechanism that would let us do this.
<b>Do you know if there is any mechanism to revoke a specific token, or to revoke all tokens for a user? Are there any plans to implement this in the future?<o:p></o:p></b></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thank You,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><br>
</span><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D">Mikhail Kuznetsov<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#717172">Software Engineer<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#717172">Hewlett Packard Enterprise
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> keycloak-dev-bounces@lists.jboss.org [mailto:keycloak-dev-bounces@lists.jboss.org]
<b>On Behalf Of </b>Kamal Jagadevan<br>
<b>Sent:</b> Monday, October 12, 2015 8:26 PM<br>
<b>To:</b> stian@redhat.com; Marek Posolda<br>
<b>Cc:</b> keycloak-dev@lists.jboss.org; Jagadevan, Kamal<br>
<b>Subject:</b> Re: [keycloak-dev] Same Refresh token can be used multiple times to obtain access token<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div id="yui_3_16_0_1_1444693001625_3845">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;color:black">Hi Stian/Marek,<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_3847">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;color:black"> Thanks for your attention in the matter.<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4124">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;color:black">Probably you are referring to one other issue in client level, but Mike & I are referring at User level within or across client.<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4425">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;color:black"><o:p> </o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4677">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;color:black">User John Doe authenticates with his credentials and obtains token pair
<b id="yui_3_16_0_1_1444693001625_6041">A1R1</b><o:p></o:p></span></p>
</div>
<ol start="1" type="1" id="yui_3_16_0_1_1444693001625_5395">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1;background:white" id="yui_3_16_0_1_1444693001625_5397">
<span style="font-size:10.0pt">After A1 expires, app refreshes the token pair to <b id="yui_3_16_0_1_1444693001625_6048">
A2R2 </b>USING R1<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1;background:white" id="yui_3_16_0_1_1444693001625_5394">
<span style="font-size:10.0pt">After A2 expires, app refreshes the token pair to <b id="yui_3_16_0_1_1444693001625_6585">
A3R3 <span style="background:#FDEF2B">USING </span></b></span><b><span style="color:#CD232C;background:#FDEF2B">R1</span></b><b id="yui_3_16_0_1_1444693001625_6109">
</b><span style="font-size:10.0pt">(ideally it is should use R2 as it is the latest refresh token)<o:p></o:p></span></li></ol>
<div id="yui_3_16_0_1_1444693001625_4795">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;color:black">
<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_5714">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;color:black">In order to achieve this functionality, I was wondering why can't we use existing last refresh time from User session rather then checking it in the client session.<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_5803">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;color:black">IMHO, adding one more validation in the ValidateToken method in TokenManager class like this should resolve the problem.<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_6328">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;color:black"><o:p> </o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_6478">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;color:black"> // after userSession is determined either for offline token or online token...<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_6378">
<p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><span style="font-size:10.0pt;color:black"> if(oldToken.getIssuedAt() < userSession.getLastSessionRefresh()) {<br id="yui_3_16_0_1_1444693001625_6365">
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale refresh token - already used");<br id="yui_3_16_0_1_1444693001625_6367">
}<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_6325">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;color:black"><o:p> </o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_6327">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;color:black">Please let me know if you see any pitfalls other than the backward compatibility for existing keycloak users. I can work with you to merge this change & test it in the
master.<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_6842">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;color:black"><o:p> </o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_6885">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;color:black">Best<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_6887">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;color:black">Kamal<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4258">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;color:black"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;color:black"><o:p> </o:p></span></p>
<div id="yui_3_16_0_1_1444693001625_3853">
<div id="yui_3_16_0_1_1444693001625_3852">
<div id="yui_3_16_0_1_1444693001625_3851">
<div class="MsoNormal" align="center" style="text-align:center;background:white">
<span style="font-family:"Helvetica",sans-serif;color:black">
<hr size="1" width="100%" align="center">
</span></div>
<p class="MsoNormal" style="background:white"><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">From:</span></b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> Stian Thorgersen <<a href="mailto:sthorger@redhat.com">sthorger@redhat.com</a>><br>
<b>To:</b> Marek Posolda <<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>>
<br>
<b>Cc:</b> "Jagadevan, Kamal" <<a href="mailto:kamalakannan.jagadevan@hpe.com">kamalakannan.jagadevan@hpe.com</a>>; "<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>" <<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>>
<br>
<b>Sent:</b> Wednesday, October 7, 2015 8:38 AM<br>
<b id="yui_3_16_0_1_1444693001625_5932">Subject:</b> Re: [keycloak-dev] Same Refresh token can be used multiple times to obtain access token</span><span style="font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_3855">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
<div id="yiv2550815952">
<div id="yui_3_16_0_1_1444693001625_3861">
<div id="yui_3_16_0_1_1444693001625_4112">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">You're right, we'd have to introduce a lastRefresh on ClientSession<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div id="yiv2550815952yqt92102">
<div id="yui_3_16_0_1_1444693001625_3860">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
<div id="yui_3_16_0_1_1444693001625_3859">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">On 7 October 2015 at 14:35, Marek Posolda <<a href="mailto:mposolda@redhat.com" target="_blank" id="yui_3_16_0_1_1444693001625_3857">mposolda@redhat.com</a>>
wrote:<br>
<br>
<o:p></o:p></span></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div id="yui_3_16_0_1_1444693001625_3870">
<div id="yui_3_16_0_1_1444693001625_5188">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">On 07/10/15 14:23, Stian Thorgersen wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" id="yui_3_16_0_1_1444693001625_4417">
<div id="yui_3_16_0_1_1444693001625_4416">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">We should make this configurable. For those worried about security they can enforce new refresh tokens as well as offline tokens will replace the old
tokens. It would be fairly simply to implement. If enabled we would only allow refresh token where iat is >= the last session refresh time.<o:p></o:p></span></p>
</div>
</blockquote>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">I was also thinking about this possibility. However if you have 2 clients and you refresh the token for client1, the refresh token of client2 won't be
valid as his "iat" will be older. Also SSO login currently refreshes lastSessionRefresh on UserSession. However maybe we can introduce lastSessionRefresh to ClientSession as well?</span><span style="font-family:"Helvetica",sans-serif;color:#888888"><br>
<br>
<span class="yiv2550815952hoenzb">Marek</span></span><span style="font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<div id="yui_3_16_0_1_1444693001625_3869">
<div id="yui_3_16_0_1_1444693001625_3868">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div id="yui_3_16_0_1_1444693001625_3877">
<div id="yui_3_16_0_1_1444693001625_3876">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">I wouldn't make it default behavior for two reasons:
<o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">* It would break existing clients if they expect to continue using the old refresh token<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4414">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">* It comes at a performance cost as clients will have to store the new refresh tokens and offline tokens each time they refresh the token<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">* For offline tokens Keycloak would also have to persist the last refresh time each time the offline token is refreshed<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_3875">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_3975">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">I think we'd need to make it a realm wide configuration option.<o:p></o:p></span></p>
<div id="yui_3_16_0_1_1444693001625_3977">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
<div id="yui_3_16_0_1_1444693001625_3981">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">On 7 October 2015 at 14:12, Marek Posolda <<a href="mailto:mposolda@redhat.com" target="_blank" id="yui_3_16_0_1_1444693001625_3979">mposolda@redhat.com</a>>
wrote:<br>
<br>
<o:p></o:p></span></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div id="yui_3_16_0_1_1444693001625_3984">
<div id="yui_3_16_0_1_1444693001625_3983">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">The points are valid and security can be always improved, however sometimes improving security makes things complicated with the not-so-big advantage...
IMO admin should always protect the machine to make sure that nobody unauthorized has access to refresh tokens. And for the transport, HTTPS should be always used. But feel free to create JIRA and we will see...<br>
<br>
When user or client is deleted, all refresh/offline tokens will defacto become invalid as well and can't be used anymore. You're right that offline token is still valid after user logout. User can revoke it manually in account management or admin can revoke
it in admin console. However refresh token is invalid after user logout. All refresh/offline tokens for particular client can be revoked by admin by set notBefore policy to now, which can be done in admin console in "Revocation" tab of particular client.</span><span style="font-family:"Helvetica",sans-serif;color:#888888"><br>
<br>
Marek</span><span style="font-family:"Helvetica",sans-serif;color:black"> <o:p></o:p></span></p>
<div id="yui_3_16_0_1_1444693001625_4407">
<div id="yui_3_16_0_1_1444693001625_4406">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><br>
<br>
On 07/10/15 04:27, Raghuram Prabhala wrote:<o:p></o:p></span></p>
</div>
</div>
</div>
<div id="yui_3_16_0_1_1444693001625_3994">
<div id="yui_3_16_0_1_1444693001625_3993">
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div id="yui_3_16_0_1_1444693001625_3991">
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Courier New";color:black">Very valid points Mike and even I have similar concerns. But please do understand that even if the refresh token is stolen or compromised,it cannot
be used by any client unless both the client_id and client_secret are also compromised/stolen. But nevertheless, it is a good practice to assume the worst and add in protective measures to minimize the chances. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Courier New";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Courier New";color:black">Marek/Bill/Stian - Even our organization is very particular that such potential security issues be addressed. Can this be taken up? BTW I am not
sure if you have an API/End point to invalidate tokens for those that are either compromised or must be invalidated as either the user or client is no longer active. If you do not have one then it is a good idea to make one available.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Courier New";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Courier New";color:black">Thanks,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Courier New";color:black">Raghu<o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Courier New";color:black"><o:p> </o:p></span></p>
<div id="yui_3_16_0_1_1444693001625_3990">
<div id="yui_3_16_0_1_1444693001625_3989">
<div id="yui_3_16_0_1_1444693001625_3988">
<div class="MsoNormal" align="center" style="text-align:center;background:white">
<span style="font-family:"Helvetica",sans-serif;color:black">
<hr size="1" width="100%" align="center">
</span></div>
<p class="MsoNormal" style="background:white"><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">From:</span></b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> "Kuznetsov, Mike"
<a href="mailto:mikhail.kuznetsov@hpe.com" target="_blank"><mikhail.kuznetsov@hpe.com></a><br>
<b>To:</b> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">"keycloak-dev@lists.jboss.org"</a>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank"><keycloak-dev@lists.jboss.org></a>
<br>
<b>Cc:</b> "Jagadevan, Kamal" <a href="mailto:kamalakannan.jagadevan@hpe.com" target="_blank">
<kamalakannan.jagadevan@hpe.com></a> <br>
<b>Sent:</b> Tuesday, October 6, 2015 4:34 PM<br>
<b>Subject:</b> Re: [keycloak-dev] Same Refresh token can be used multiple times to obtain access token</span><span style="font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_3999">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
<div id="yui_3_16_0_1_1444693001625_4005">
<div id="yui_3_16_0_1_1444693001625_4004">
<div id="yui_3_16_0_1_1444693001625_4003">
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif">Hello,<span style="color:black"><o:p></o:p></span></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif"> <span style="color:black"><o:p></o:p></span></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4063">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif">The reason I brought this up is that we are currently working on migrating out authentication from a commercially available product called Ping to Keycloak. We noticed
that Ping invalidates the refresh token after it is used once, while Keycloak does not.<span style="color:black"><o:p></o:p></span></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif"> <span style="color:black"><o:p></o:p></span></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4002">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif">I and my colleague, Kamal are concerned that by not invalidating the refresh token after first use, we may be opening a security hole. While SSL may protect the token
in transit, we can see a scenario where the refresh token would be compromised or stolen from the client itself. In this case, the stolen refresh token could be used to get new access tokens without the owner of the client machine knowing.
<span style="color:black"><o:p></o:p></span></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4007">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif"> <span style="color:black"><o:p></o:p></span></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif">However, if the behavior was changed so that the refresh token could only be used once, then either:<span style="color:black"><o:p></o:p></span></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4009">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif">1.</span><span style="font-size:7.0pt;font-family:"Helvetica",sans-serif">
</span><span style="font-family:"Helvetica",sans-serif">If the owner of the client machine would use the refresh token first, then the stolen refresh token could not be used<span style="color:black"><o:p></o:p></span></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4012">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif">2.</span><span style="font-size:7.0pt;font-family:"Helvetica",sans-serif">
</span><span style="font-family:"Helvetica",sans-serif">If the stolen refresh token would be used first, then the client machine would not be able to use it and the user of that client machine could be alerted that something was wrong. This user could then
reset their password or invalidate all of their access and refresh tokens.<span style="color:black"><o:p></o:p></span></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif"> <span style="color:black"><o:p></o:p></span></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4025">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif">Furthermore, we are concerned about this same scenario, but with the offline token. My understanding is that the offline token does not expire and that it can’t be
invalidated by logging out the user or changing the user’s password. Have you thought about this scenario?<span style="color:black"><o:p></o:p></span></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:#1F497D"> </span><span style="font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4016">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">Thank You,<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4019">
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black"><br>
</span><b><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Mikhail Kuznetsov</span></b><span style="font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black">Software Engineer</span><span style="font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black">Hewlett Packard Enterprise</span><span style="font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:#1F497D"> </span><span style="font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4023">
<div id="yui_3_16_0_1_1444693001625_4059">
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in" id="yui_3_16_0_1_1444693001625_4058">
<div id="yui_3_16_0_1_1444693001625_4057">
<p class="MsoNormal" style="background:white"><b><span style="font-family:"Helvetica",sans-serif">From:</span></b><span style="font-family:"Helvetica",sans-serif"> Marek Posolda [<a href="mailto:mposolda@redhat.com" target="_blank">mailto:mposolda@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, October 06, 2015 1:16 PM<br>
<b>To:</b> Raghu Prabhala<br>
<b>Cc:</b> Kuznetsov, Mike; <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">
keycloak-dev@lists.jboss.org</a><br>
<b>Subject:</b> Re: [keycloak-dev] Same Refresh token can be used multiple times to obtain access token<span style="color:black"><o:p></o:p></span></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4022">
<div id="yui_3_16_0_1_1444693001625_4021">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">Hi Raghu,<br>
<br>
>From the specs, it looks to me that this is not anything mandatory. The paragraph is starting "For example". Feel free to create JIRA, but I personally can't promise anything regarding this...<br>
<br>
Marek<br>
<br>
<br>
On 06/10/15 17:37, Raghu Prabhala wrote:<o:p></o:p></span></p>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" id="yui_3_16_0_1_1444693001625_4035">
<div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">Hi Marek - section 10.4 of rfc6749 mentions that the prior refresh token should be invalidated but retained by the server - to handle compromise of refresh
tokens as they are long lived. <o:p></o:p></span></p>
</div>
</div>
<div id="yui_3_16_0_1_1444693001625_4034">
<div id="yui_3_16_0_1_1444693001625_4033">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">Thanks,<o:p></o:p></span></p>
</div>
</div>
<div id="yui_3_16_0_1_1444693001625_4055">
<div id="yui_3_16_0_1_1444693001625_4054">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">Raghu<br>
<br>
Sent from my iPhone<o:p></o:p></span></p>
</div>
</div>
<div>
<div style="margin-bottom:12.0pt">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><br>
On Oct 6, 2015, at 10:53 AM, Marek Posolda <<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>> wrote:<o:p></o:p></span></p>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" id="yui_3_16_0_1_1444693001625_4042">
<div id="yui_3_16_0_1_1444693001625_4041">
<div id="yui_3_16_0_1_1444693001625_4040">
<div id="yui_3_16_0_1_1444693001625_4039">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">You're right, same refresh token can be used more times. However it is still better to use refresh token R2 in your step 3 instead of using old refresh
token R1 because R2 has updated timestamp (each token is valid just for 30 minutes or so, depends on the configured SSO session idle timeout).<br>
<br>
Or are you referring that this is security issue and potential possibility to Man in the middle? If you use HTTPS (which is recommended for production environment, and especially if you have unsecured/untrusted networkl), this shouldn't be an issue.<br>
<br>
Marek<br>
<br>
On 06/10/15 16:34, Kuznetsov, Mike wrote:<o:p></o:p></span></p>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" id="yui_3_16_0_1_1444693001625_4045">
<div id="yui_3_16_0_1_1444693001625_4044">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">Hello,<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4050">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4052">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">I noticed that with Keycloak, it seems that refresh tokens are still valid after they are used once. This means that Keycloak does
<b>not</b> invalidate Refresh Tokens after they have been used once.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4314">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">I am able to successfully execute the following flow:<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4308">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">1.</span><span style="font-size:7.0pt;font-family:"Helvetica",sans-serif;color:black">
</span><span style="font-family:"Helvetica",sans-serif;color:black">Obtain Access Token (A1) and Refresh Token (R1)<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4310">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">2.</span><span style="font-size:7.0pt;font-family:"Helvetica",sans-serif;color:black">
</span><span style="font-family:"Helvetica",sans-serif;color:black">Use Refresh Token (R1) to obtain new Access Token (A2) and Refresh Token (R2)<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1444693001625_4312">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">3.</span><span style="font-size:7.0pt;font-family:"Helvetica",sans-serif;color:black">
</span><span style="font-family:"Helvetica",sans-serif;color:black">Use same Refresh Token (R1) again to obtain new Access Token (A3) and Refresh Token (R3)<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">Can you please tell me if this is the intended functionality?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">Thank You,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black"><br>
</span><b><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Mikhail Kuznetsov</span></b><span style="font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black">Software Engineer</span><span style="font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black">Hewlett Packard Enterprise</span><span style="font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><br>
<br>
<o:p></o:p></span></p>
</div>
<pre style="background:white"><span style="color:black">_______________________________________________<o:p></o:p></span></pre>
<pre style="background:white"><span style="color:black">keycloak-dev mailing list<o:p></o:p></span></pre>
<pre style="background:white"><span style="color:black"><a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><o:p></o:p></span></pre>
<pre style="background:white"><span style="color:black"><a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><o:p></o:p></span></pre>
</blockquote>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><o:p></o:p></span></p>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><br>
<br>
<o:p></o:p></span></p>
<pre style="background:white"><span style="color:black">_______________________________________________<o:p></o:p></span></pre>
<pre style="background:white"><span style="color:black">keycloak-dev mailing list<o:p></o:p></span></pre>
<pre style="background:white"><span style="color:black"><a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><o:p></o:p></span></pre>
<pre style="background:white"><span style="color:black"><a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><o:p></o:p></span></pre>
</blockquote>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><o:p></o:p></span></p>
</blockquote>
</div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
</div>
</div>
</div>
</blockquote>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
<div id="yqt84888">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica",sans-serif;color:black">_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>