Refresh token and enforcing the identity binding

ORY Hydra
#1

Hello,

I am thinking about the scenario where my login provider is using an external (or even multiple) identity providers and, in general, does not know what may happen to the user that has been successfully authenticated a while ago. And specifically about the scenario with the refresh token. Imagine that the access and refresh tokens have been issued, the user loses his/her device or gets fired from the company, or changes the password. With the refresh token, the user (or whoever steals the laptop) can still access the API for a while. Logically, the binding between the access token and identity should be broken as soon as possible. But I can’t find a way how to enforce it.

My understanding is that the login provider is not even called when refreshing the access token using refresh token, so I do not even have a potential hook to control the re-issuing of the new access token at this point.

Without the refresh token at least the silent renewal would not be possible - the identity provider would require the user to log in again since the session cookie would become invalid.

I am looking for the guidance on how to approach this problem.

#2

If an OAuth2 Client is compromised, you can revoke all tokens for that client (or for the user in general) via: https://www.ory.sh/docs/hydra/sdk/api#revokes-consent-sessions-of-a-subject-for-a-specific-oauth-20-client

You can also revoke a refresh token using OAuth2 Token Revokation ( https://www.ory.sh/docs/hydra/sdk/api#revoke-oauth2-tokens ) which will revoke the whole chain of tokens (all issued access tokens, all issued refresh tokens) for that specific authorization grant.

Hope this helps

#3

How do we get the refresh token that are associated with the subject and client consent?

#5

Sorry, that sounded meaner than I intended it to. The first linked API allows you to delete those without knowing the tokens!

#6

Yes, I know that I can revoke the token, that’s fine. Let me try to lay it out differently:

  • Hydra manages the oauth2 tokens
  • login provider authenticates the user, this identity is disconnected from Hydra, essentially. Imagine for simplicity that my user database is Active Directory
  • a refresh token is issued for a particular app and particular subject

Now, this subject changes the password. There are two possible scenarios I can imagine:

  1. I have a component that somehow gets notified about a user status change (any change) and it calls Hydra to invalidate the tokens for this user
  2. Whenever the access token is refreshed, I can try to see if the user status has changed and refuse the refresh (and revoke the tokens, of course).

I believe that mechanism (1) does not generally exist - unless it is my own identity provider. And, I believe, the mechanism (2) does not exist either, in Hydra my custom code (login provider) is not called when using the refresh token to acquire a new access token.

#7

Invalidating OAuth2 Tokens when you log out (or update credentials) is not something that’s intended by the protocol. You would never get logged out of e.g. CircleCI when you log out of GitHub, this is true for all of the “Sign in with Google/…” flows. That just doesn’t happen because they are separate companies/systems/developers/…

What you’re looking for is probably more something along OpenID Connect Front/Backchannel logout, which is implemented in Hydra.

If you want to revoke access to a certain application, use the API linked above, it invalidates all tokens.

Everything else is completely abusing an Access Token (proof of authorization) as something that is a “login session” (which is what we have OpenID Connect for)