Once you’ve identified your top security threats, you can begin to identify the policies best suited to protecting your systems. But first, you’ll want to understand how tokens work.
OAuth access tokens provide a level of abstraction between the various entities involved in a transaction so each is isolated from the responsibilities of the others and of the overall system. For example, a client acquiring tokens from an authorization server (AS) for a user typically leverages the user’s browser for any user interaction. This isolates the client from the authorization server’s processes for user authentication and consent.
Also, when communicating with protected resources, a client applies tokens without necessarily knowing the underlying data or security policies those tokens represent. Similarly, a protected resource can validate that a request from a client was authorized by the resource owner, without knowledge or participation in the process the client used to get the token from the AS.
While the business policy and processes and around what is required for authorization are defined by the AS, not the OAuth spec, the OAuth spec does define three places where an AS can interject its policy:
- Before a token is granted, the AS can interact with the user via the user agent/browser for authentication and consent.
- When using refresh tokens, the AS can use each refresh as a chance to evaluate policy. This could result in a change to the contents of a structured token such as a JWT, for example, or a decision to no longer allow the refresh token to be used before it has reached a time-based expiration.
- When using non-structured access tokens (or a format that’s otherwise opaque to the resources), token introspection allows for policy to be evaluated on each use. Different protected resources can see different information, and token revocation can take place immediately.
Issuance, refresh and access can be thought of as a continuum. On the far left, token issuance has the most visibility to the user agent and the ability to interact with the user for authentication and consent. On the far right, structured access tokens act as a cache of a past policy decisions and enable performance at the cost of potentially stale information. Refresh tokens are in the middle, able to make policy decisions but not able to necessarily interact with the user.
Policy decisions may also lead to a cascading escalation of token requests from the client perspective. A short-lived access token will eventually require a client to fetch a new access token via a refresh grant. At this point, the evaluation of policy by the AS might require interaction with the user, so it fails to refresh. This causes the client—which still needs an access token to interact with protected resources—to request a new token, presenting the user to the AS via the user agent or browser.
In some environments, there may be a fourth place where the AS can interject policy. In this case, a client may first request an access token and redirect the user, while requesting the AS fail rather than presenting UI to the user. This allows the client to better control the user experience when the user must re-authenticate to continue interaction with the protected resource.
Online vs. Offline OpenID Connect Token Policy
While the implementation of token policies is outside the realm of OAuth, OpenID Connect (OIDC) does provide two different types of token policy: online and offline. An offline token policy is one where access continues beyond when the user is present beyond the current authentication session for the user. For example, I might grant access to a meeting service to read and modify my calendar. The expectation is that I’m granting access in order to increase the capabilities of the application even when I’m not present, such as exposing my free and busy status during scheduling.
An online token policy, on the other hand, will enable access only when I am present and will terminate access once I’m no longer authenticated. An example might be a browser app written in Javascript. The user might not understand the distinction between the AS and client app because they are presented in the same browser. If the user isn’t interacting with the app, there is often no reason for a browser-based app to maintain access.
Many AS implementations do not enable refresh token policies based on whether the user is still authenticated. For this reason, some people equate offline access to mean that a refresh token is issued, while online access indicates no refresh tokens are issued. But this is only the case in certain AS implementations, and both of these statements can be false depending upon the specific AS implementation and policy.