Annoying OAuth 2.0 Provider Refresh Policies

Let's face it folks Oauth2 is here & it ain't going anywhere! I've met many hackers that either really like the Oauth2 protocol or really hate it. Few & far between are middle of the road. I am one of those middle of the road ppl. I've been exposed to Oauth since version 1.0 and I've kinda grown up on it in the RESTful API world. It's becoming the most used weapon of choice for cloud based authorization but I would like to see some sort of standardization between the providers in regards to Refresh & Access token policies.

Cloud service companies are widely adopting OAuth 2.0 & it's a great concept that provides a less riskier method for cloud services & app developers to provide a Single Sign-On experience for their users. OAuth enables developers to offer users an easy method to allow “trusted” apps to perform transactions in their cloud based services and applications on their behalf. For example OAuth enables a user to authorize an app like LinkedIn to post a Tweet on the user's Twitter feed on behalf of the user.

Now back to my issues with how providers are implementing OAuth and the annoyances being caused by customized deployments. Most of my annoyances primarily relate to variations between provider refresh & access token policies. The OAuth 2.0 spec is based on refresh & access tokens which are required to perform transactions on a user's behalf. Access tokens are temporary tokens that must be included in all requests & transactions committed against an OAuth provider. Once issued these tokens generally last less than an hour. Once these Access Tokens expire a Refresh Token is required to gain another valid Access Token which will allows continued access until the new Access Token expires & the Refresh Token is used again to retrieve another Access Token and the cycle perpetuates in a loop.

So my primary annoyance relates to the inconsistencies between providers regarding their Refresh Token policies. The Refresh Token policy that is vexing me at the time of this post is related to how some major cloud storage providers administer their OAuth Refresh Tokens. Most OAuth providers issue a Refresh Token that is permanent and won't expire until revoked by the authorizing user. Having this permanent Refresh Token definitely fosters a bit more risk & vulnerability but I'm not convinced there is much more risk compared to the more annoying policies.

I'll describe the annoying Refresh Token policy. In the interest of security some cloud providers have implemented a more locked down policy on their Refresh Token policies and here is the flow. Ready ?:
  • App requests a Refresh & Access Token from provider
  • Provider Responds with a Valid Refresh & Access Token

In this flow, we have our valid Refresh Token but this token is under a more restrictive policy which generates the token as a ONE time use & expires after 60 days. This means when the Access Token expires you have to use this (One time use) Refresh Token to get another Access Token. Now we do get another Refresh Token with our Access Token request but again that is a one time use & 60 day expiry.

You maybe asking, What's the problem? Well this policy presents some unnecessary issues for developers that have to build against this policy. This particular policy doesn't provide the developer a friendly method in providing a seamless SSO user experience within their apps. In most scenarios, developers will have to persist Refresh Tokens (hopefully encrypted) in their apps data store. With a permanent/long life Refresh Token developers can easily implement a seamless SSO in their apps and don't have to struggle with figuring out a whole strategy on tracking the life of Refresh Tokens. I feel this restrictive policy is futile and doesn't add any value or real security. It just feels as an illusion so that companies can sell as security proposition or differentiator.

In conclusion I'm all about security but I'm also down with being sensible when designing & implementing security policies. If you produce tools & services for developers you really need to seriously weigh & balance the very thin lines between security & overall usability. At the end of the day the reality is that we can hack solutions for these types of constraints but why do companies feel the need to complicate things for the very community they're trying to capture & maintain?

So if you're a cloud service provider using OAuth please use sensible Refresh Token policies. It really does make huge difference in a developers life :-)