Comments (16)
I agree that short lifetime is good for security but it will also incur much load on authorization server as it has to process frequent refresh requests. We could have clients from different platforms (JS based web app, android app, native desktop app etc.) with different usage and trust level. Say we have our own multiple apps or the apps from our trusted vendors with higher trust level, here it will be safe to issue tokens with longer expiry.
I am sorry but I have to disagree. The trust level should not be responsible for deciding token lifespan. Tokens can be stolen from trusted clients and untrusted clients alike. Keeping token lifetime short increases security. Please remember that OAuth2 is a delegation protocol and it should be treated as such. :)
Please read the official recommendation IETF RFC6819:
A short expiration time for tokens is a means of protection against
the following threats:
o replay
o token leak (a short expiration time will reduce impact)
o online guessing (a short expiration time will reduce the
likelihood of success)
Additionally, generating hmac tokens is cheap with fosite. The database might get some load but I don't think that it's going to be a real issue, even if token expiry is only an hour.
If we save/load expiry from database then it will give us ultimate control. You may have hundres of clients and each client has thousands of end users, consuming your API. Some day suddenly you found that a few clients are abusing or sending too many request. Here if you have expiry in database then you can easily expire there access token as well as refresh token so they have to authenticate again.
That is what token revokation(IETF RFC7009) is for. It's currently not implemented in hydra but it should be very easy to add an endpoint and remove malicious / leaked tokens from the database.
Another point I want to make is that issuing access token is not the bottleneck, but token lookup is. You are suggesting that the expiry time should be flexible. This does not work if you issue JWT, because you can't change their expiry values once the JWT is issued. If you want expiry time to be flexible, you will need to look up the token in the database every time you want to validate it. This will cause you real trouble ;)
If you fear that database load might be an issue, take a look at the Hydra Refactor. It's an authorization server that uses fosite and does everything in-memory.
Feel free to ask questions if things are unclear.
from fosite.
Hey, the methods in store.go are being called, I can guarantee that. Otherwise the example would not work.
from fosite.
Maybe you could show me what you tried to do :)
from fosite.
I only added log.Println(...) statement at the begining of each method like this one
func (s *Store) GetClient(id string) (fosite.Client, error) {
log.Println("Store.GetClient executed...")
cl, ok := s.Clients[id]
if !ok {
return nil, pkg.ErrNotFound
}
return cl, nil
}
After that i run the example
[samtech@M4800 server]$ go run main.go
Please open your webbrowser at http://localhost:3846
Then i tried Authorize Code Grant, Resource owner password credentials grant etc. but i didn't see any log trace in console.
from fosite.
I can not reproduce this. I get:
D:\workspace\go\src\github.com\ory-am\fosite\fosite-example>go run main.go
Please open your webbrowser at http://localhost:3846
2016/05/16 11:28:58 Store.GetClient executed...
2016/05/16 11:29:01 Store.GetClient executed...
2016/05/16 11:29:01 Store.GetClient executed...
after clicking on "authorize code grant" and logging in.
from fosite.
After looking the output you shared, i deleted all old stuff, again did a fresh "go get github.com/ory-am/fosite", followed by glide update, then added log.Println(...) to GetClient() method
And now it is giving traces :)
I really do not know what was the problem.
Anyways, sorry for killing your time.
Now i will try to create store for postgresql database.
from fosite.
Don't worry, glad I was able to help!
from fosite.
If you need further assistance let me know
from fosite.
Hi,
I have few queries, should i ask here or create new Issue (BTW those of
queries not the issue).
Please suggest.
On 05/16/16 22:11, Aeneas wrote:
If you need further assistance let me know
—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#45 (comment)
Thanks & Regards
Sam Tech
from fosite.
Feel free to ask here. There is also a reference storage implementation usign rethinkdb here: https://github.com/ory-am/hydra/blob/refactor/internal/fosite_store_rethinkdb.go
from fosite.
I am trying to implement client with following fields
type AppClient struct {
ID string json:"id"
AppName string json:"app_name"
Secret []byte json:"secret,omitempty"
RedirectURIs []string json:"redirect_uris"
GrantTypes []string json:"grant_types"
ResponseTypes []string json:"response_types"
Owner string json:"owner"
AccessTokenLife int json:"accesstoken_lifetime"
RefreshTokenLife int json:"refreshtoken_lifetime"
}
As you can see i have AccessTokenLife and RefreshTokenLife fields.
The task it is assign different expiry of AccessToken / RefreshToken per
client basis, depending on application type and usage.
For example Client-A may have AcessTokenLife of 30 min. and RefreshToken
life of 120 minutes.
And Client-B may have AcessTokenLife of 90 min. and RefreshToken life of
300 minutes.
I guess it is to be set in CreateAuthorizeCodeSession and similar
methods.
But fosite.Requester doesn't provide any method for that. For this we
need to save and later load expiry from database when requested by
fosite, so fosite can validate expiry.
Can you please suggest, how to achieve it.
On 05/28/16 13:52, Aeneas wrote:
Feel free to ask here. There is also a reference storage
implementation usign rethinkdb here:
https://github.com/ory-am/hydra/blob/refactor/internal/fosite_store_rethinkdb.go—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#45 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AKD0TRDM6QzJ5g2fmtc2co1GmZab_n6nks5qF_tggaJpZM4Ie4zk.
Thanks & Regards
Sam Tech
from fosite.
I see, currently fosite only supports a global access token life time: https://github.com/ory-am/fosite/blob/master/handler/core/explicit/explicit_auth.go#L31
It is validated for example here: https://github.com/ory-am/fosite/blob/master/handler/core/explicit/explicit_token.go#L66
A per request lifetime is not implemented right now but it seems like a common problem as this has been asked before. Can you maybe tell me why you need it exactly? Usually Access Tokens should have short lifetimes and be refreshed using Refresh Tokens which is why I didn't include per-client or per-request lifetimes.
from fosite.
It will add more flexibility. Let me try to explain :)
Advantage of flexible lifetime
I agree that short lifetime is good for security but it will also incur
much load on authorization server as it has to process frequent refresh
requests.
We could have clients from different platforms (JS based web app,
android app, native desktop app etc.) with different usage and trust level.
Say we have our own multiple apps or the apps from our trusted vendors
with higher trust level, here it will be safe to issue tokens with
longer expiry.
But on the other side, for other 3rd party apps where trust level is
low, we should issue tokens with short lifespan.
Advantage of save/load expiry from database
If we save/load expiry from database then it will give us ultimate control.
You may have hundres of clients and each client has thousands of end
users, consuming your API. Some day suddenly you found that a few
clients are abusing or sending too many request.
Here if you have expiry in database then you can easily expire there
access token as well as refresh token so they have to authenticate again.
I am also planning to add support to enable/disable client so before
authorization it should check whether the client is active.
On Saturday 28 May 2016 07:44 PM, Aeneas wrote:
I see, currently fosite only supports a global access token life time:
https://github.com/ory-am/fosite/blob/master/handler/core/explicit/explicit_auth.go#L31It is validated for example here:
https://github.com/ory-am/fosite/blob/master/handler/core/explicit/explicit_token.go#L66A per request lifetime is not implemented right now but it seems like
a common problem as this has been asked before. Can you maybe tell me
why you need it exactly? Usually Access Tokens should have short
lifetimes and be refreshed using Refresh Tokens.—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#45 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AKD0TQXTVtUImsCpyUijChkKz6szRzfAks5qGE2tgaJpZM4Ie4zk.
Thanks & Regards
Sam Tech
from fosite.
If you need help with implementing a Token Revokation endpoint let me know!
from fosite.
Hmm.... your point is valid that with JWT we will not be able to expire
them. But that's not a big issue as custom hooks can be implemented in
resource server for that.
But still having flexibility to get/set expiry will be a great feature
for fosite. It is the only thing that i see as bootelneck in fosite. As
we are issuing tokens but we do not have control over it.
Approx 2 year ago i implemented oAuth2 server in C# using OSIN libraries
and using HMAC tokens.
There we implemented that feature and we were very happy wth that. We
also face few instances where few clients were poorly designed and not
comsuming API as it should be, so we just expire theire token and even
disabled few clients.
Not sure but i guess OSIN https://github.com/RangelReale/osin also
allow us to set expiry.
Regarding revocation, it have to be requested by Client. Legtimate
clients will request it but what about abusing clients? They will never
send revokation request.
Also as mentioned in IETF RFC6819
https://tools.ietf.org/html/rfc6819#section-5.1.5.3:
Is Limited / one-time-usage and Audience etc. implemented in fosite?
On Saturday 28 May 2016 11:26 PM, Aeneas wrote:
I agree that short lifetime is good for security but it will also incur much load on authorization server as it has to process frequent refresh requests. We could have clients from different platforms (JS based web app, android app, native desktop app etc.) with different usage and trust level. Say we have our own multiple apps or the apps from our trusted vendors with higher trust level, here it will be safe to issue tokens with longer expiry.
I am sorry but I have to disagree. The trust level should not be
responsible for deciding token lifespan. Tokens from can be stolen
from trusted clients and untrusted clients alike. Keeping token
lifetime short increases security. Please remember that OAuth2 is a
delegation protocol and it should be treated as such. :)Please read the official recommendation IETF RFC6819
https://tools.ietf.org/html/rfc6819#section-5.1.5.3:A short expiration time for tokens is a means of protection against the following threats: o replay o token leak (a short expiration time will reduce impact) o online guessing (a short expiration time will reduce the likelihood of success)
Additionally, generating hmac tokens is cheap with fosite. The
database might get some load but I don't think that it's going to be a
real issue, even if token expiry is only an hour.If you fear that database load might be an issue, take a look at the
Hydra Refactor https://github.com/ory-am/hydra/tree/refactor. It's
an authorization server that uses fosite and does everything in-memory.If we save/load expiry from database then it will give us ultimate control. You may have hundres of clients and each client has thousands of end users, consuming your API. Some day suddenly you found that a few clients are abusing or sending too many request. Here if you have expiry in database then you can easily expire there access token as well as refresh token so they have to authenticate again.
That is what [token revokation](IETF
RFC7009](https://tools.ietf.org/html/rfc7009) is for. It's currently
not implemented in hydra but it should be very easy to add an endpoint
and remove malicious / leaked tokens from the database.Another point I want to make is that issuing access token is not the
bottleneck, but token lookup is. You are suggesting that the expiry
time should be flexible. This does not work if you issue JWT, because
you can't change their expiry tokens.Feel free to ask questions if things are unclear.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#45 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AKD0TSpI77Wo_rBCNMsg5rtwmCIyjzV9ks5qGIHUgaJpZM4Ie4zk.
Thanks & Regards
Sam Tech
from fosite.
But still having flexibility to get/set expiry will be a great feature for fosite. It is the only thing that i see as bootelneck in fosite. As we are issuing tokens but we do not have control over it.
In fosite you can invalidate tokens by simply removing them from the database. No need to tamper with expiry date :)
There we implemented that feature and we were very happy wth that. We also face few instances where few clients were poorly designed and not comsuming API as it should be, so we just expire theire token and even disabled few clients.
You can invalidate access tokens issued to abusing clients by removing them from the database.
Regarding revocation, it have to be requested by Client. Legtimate clients will request it but what about abusing clients? They will never send revokation request.
You are absolutely right, I forgot that RFC7009 is client-facing. The point I wanted to make is that you can remove tokens from the database in order to invalidate them. Playing with the expiry date does not make a lot of sense to me as the expiry date is issued once at token creation and submitted as a hint to the client. Additionally it does not work with JWT. I also think that looking up JWT sessions in a database defeats the purpose of using JWT.
Not sure but i guess OSIN https://github.com/RangelReale/osin also allow us to set expiry.
Yes, OSIN let's you save the expiry date per token in the database. OSIN however has a lot of other flaws and a poor security concept. I believe that choosing long expiry dates for access tokens is also poor security. This is why there is only one global expiry time in Fosite.
Please don't mistake me with someone who doesn't like new ideas :) I simply believe that your use cases can achieve the same functionality with better security if the expiry date is short and non-modifiable and tokens are invalidated by removing them from the database.
Let me know what you think.
from fosite.
Related Issues (20)
- Allow revoking access token without revoking refresh token HOT 2
- authorize_helper.isLoopbackAddress has flaws HOT 1
- clientCredentialsFromRequest should not expect Basic Authorization terms being URL Escaped HOT 2
- Refresh token flow handler does not set the original request ID in the handler early enough
- use mattn/go-sqlite3 v2.0.3+incompatible no the new version HOT 6
- Failed to decode `id_token_hint` when using different signer for `id_token` and others
- `iat` field in access token (JWT) issued as part of `refresh_token` grant. HOT 8
- Concurrent requests for token endpoint on auth-code flow with same code succeed. HOT 7
- Can not run the example code
- OIDC callback is always HTTPS, even when entered as HTTP HOT 1
- DefaultSigner should support key rotation
- Support per-client signing algorithm HOT 8
- Make prefix used in HMACSHAStrategy configurable
- openid session storage should be deleted when the authcode is exchanged HOT 9
- private_key_jwt assetion tokens can have unbounded expiration which can fill data store HOT 3
- NewDefaultSession's SetSubject should set IDTokenClaims as well
- Consider upgrading to github.com/go-jose/go-jose/v4
- id_token_hint should not persist to storage HOT 2
- Unable to obtain expiration time of refresh tokens HOT 1
- Why does HMACStrategy.Generate uses a lock? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fosite.