This repository was archived by the owner on Apr 26, 2024. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Document the usage of refresh tokens. #11427
Merged
Merged
Changes from all commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
b650438
Initial attempt at documentation. Diagram missing for now.
reivilibre 0af540e
Add Refresh Tokens to docs summary
reivilibre 6c2256f
Newsfile
reivilibre 95fe78e
Add further reading for refresh tokens (OAuth 2)
reivilibre 90f18b6
Note that inactivity expiry happens before the natural expiry
reivilibre e6104a8
Note that access tokens should be kept secret
reivilibre 4e1359f
Use 'long-lived' rather than 'long-length'
reivilibre 9303f8c
Note that you can choose to set NRAT lifetimes to be short for security
reivilibre 8583224
Note that the options only apply to new tokens
reivilibre 3e2f56a
Overhaul the calculation section
reivilibre ceb032a
Update docs/usage/configuration/user_authentication/refresh_tokens.md
reivilibre b4cefa8
Explain consequence of refresh token lifetime
reivilibre 2b03c75
What is inconvenience?
reivilibre File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| Document the usage of refresh tokens. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
139 changes: 139 additions & 0 deletions
139
docs/usage/configuration/user_authentication/refresh_tokens.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,139 @@ | ||
| # Refresh Tokens | ||
|
|
||
| Synapse supports refresh tokens since version 1.49 (some earlier versions had support for an earlier, experimental draft of [MSC2918] which is not compatible). | ||
|
|
||
|
|
||
| [MSC2918]: https://github.com/matrix-org/matrix-doc/blob/main/proposals/2918-refreshtokens.md#msc2918-refresh-tokens | ||
|
|
||
|
|
||
| ## Background and motivation | ||
|
|
||
| Synapse users' sessions are identified by **access tokens**; access tokens are | ||
| issued to users on login. Each session gets a unique access token which identifies | ||
| it; the access token must be kept secret as it grants access to the user's account. | ||
|
|
||
| Traditionally, these access tokens were eternally valid (at least until the user | ||
| explicitly chose to log out). | ||
|
|
||
| In some cases, it may be desirable for these access tokens to expire so that the | ||
| potential damage caused by leaking an access token is reduced. | ||
| On the other hand, forcing a user to re-authenticate (log in again) often might | ||
| be too much of an inconvenience. | ||
|
|
||
| **Refresh tokens** are a mechanism to avoid some of this inconvenience whilst | ||
| still getting most of the benefits of short access token lifetimes. | ||
| Refresh tokens are also a concept present in OAuth 2 — further reading is available | ||
| [here](https://datatracker.ietf.org/doc/html/rfc6749#section-1.5). | ||
|
|
||
| When refresh tokens are in use, both an access token and a refresh token will be | ||
| issued to users on login. The access token will expire after a predetermined amount | ||
| of time, but otherwise works in the same way as before. When the access token is | ||
| close to expiring (or has expired), the user's client should present the homeserver | ||
| (Synapse) with the refresh token. | ||
|
|
||
| The homeserver will then generate a new access token and refresh token for the user | ||
| and return them. The old refresh token is invalidated and can not be used again*. | ||
|
|
||
| Finally, refresh tokens also make it possible for sessions to be logged out if they | ||
| are inactive for too long, before the session naturally ends; see the configuration | ||
| guide below. | ||
|
|
||
|
|
||
| *To prevent issues if clients lose connection half-way through refreshing a token, | ||
DMRobertson marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| the refresh token is only invalidated once the new access token has been used at | ||
| least once. For all intents and purposes, the above simplification is sufficient. | ||
|
|
||
|
|
||
| ## Caveats | ||
|
|
||
| There are some caveats: | ||
|
|
||
| * If a third party gets both your access token and refresh token, they will be able to | ||
| continue to enjoy access to your session. | ||
| * This is still an improvement because you (the user) will notice when *your* | ||
| session expires and you're not able to use your refresh token. | ||
| That would be a giveaway that someone else has compromised your session. | ||
| You would be able to log in again and terminate that session. | ||
DMRobertson marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| Previously (with long-lived access tokens), a third party that has your access | ||
| token could go undetected for a very long time. | ||
| * Clients need to implement support for refresh tokens in order for them to be a | ||
| useful mechanism. | ||
| * It is up to homeserver administrators if they want to issue long-lived access | ||
| tokens to clients not implementing refresh tokens. | ||
DMRobertson marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| * For compatibility, it is likely that they should, at least until client support | ||
| is widespread. | ||
| * Users with clients that support refresh tokens will still benefit from the | ||
| added security; it's not possible to downgrade a session to using long-lived | ||
| access tokens so this effectively gives users the choice. | ||
| * In a closed environment where all users use known clients, this may not be | ||
| an issue as the homeserver administrator can know if the clients have refresh | ||
| token support. In that case, the non-refreshable access token lifetime | ||
| may be set to a short duration so that a similar level of security is provided. | ||
|
|
||
|
|
||
| ## Configuration Guide | ||
|
|
||
| The following configuration options, in the `registration` section, are related: | ||
|
|
||
| * `session_lifetime`: maximum length of a session, even if it's refreshed. | ||
| In other words, the client must log in again after this time period. | ||
DMRobertson marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| In most cases, this can be unset (infinite) or set to a long time (years or months). | ||
| * `refreshable_access_token_lifetime`: lifetime of access tokens that are created | ||
| by clients supporting refresh tokens. | ||
| This should be short; a good value might be 5 minutes (`5m`). | ||
| * `nonrefreshable_access_token_lifetime`: lifetime of access tokens that are created | ||
| by clients which don't support refresh tokens. | ||
| Make this short if you want to effectively force use of refresh tokens. | ||
| Make this long if you don't want to inconvenience users of clients which don't | ||
| support refresh tokens (by forcing them to frequently re-authenticate using | ||
| login credentials). | ||
| * `refresh_token_lifetime`: lifetime of refresh tokens. | ||
| In other words, the client must refresh within this time period to maintain its session. | ||
| Unless you want to log inactive sessions out, it is often fine to use a long | ||
| value here or even leave it unset (infinite). | ||
| Beware that making it too short will inconvenience clients that do not connect | ||
| very often, including mobile clients and clients of infrequent users (by making | ||
| it more difficult for them to refresh in time, which may force them to need to | ||
| re-authenticate using login credentials). | ||
|
|
||
| **Note:** All four options above only apply when tokens are created (by logging in or refreshing). | ||
| Changes to these settings do not apply retroactively. | ||
|
|
||
|
|
||
| ### Using refresh token expiry to log out inactive sessions | ||
|
|
||
| If you'd like to force sessions to be logged out upon inactivity, you can enable | ||
| refreshable access token expiry and refresh token expiry. | ||
DMRobertson marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| This works because a client must refresh at least once within a period of | ||
| `refresh_token_lifetime` in order to maintain valid credentials to access the | ||
| account. | ||
|
|
||
| (It's suggested that `refresh_token_lifetime` should be longer than | ||
| `refreshable_access_token_lifetime` and this section assumes that to be the case | ||
| for simplicity.) | ||
|
|
||
| Note: this will only affect sessions using refresh tokens. You may wish to | ||
| set a short `nonrefreshable_access_token_lifetime` to prevent this being bypassed | ||
| by clients that do not support refresh tokens. | ||
|
|
||
|
|
||
| #### Choosing values that guarantee permitting some inactivity | ||
|
|
||
| It may be desirable to permit some short periods of inactivity, for example to | ||
| accommodate brief outages in client connectivity. | ||
DMRobertson marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| The following model aims to provide guidance for choosing `refresh_token_lifetime` | ||
| and `refreshable_access_token_lifetime` to satisfy requirements of the form: | ||
|
|
||
| 1. inactivity longer than `L` **MUST** cause the session to be logged out; and | ||
| 2. inactivity shorter than `S` **MUST NOT** cause the session to be logged out. | ||
|
|
||
| This model makes the weakest assumption that all active clients will refresh as | ||
| needed to maintain an active access token, but no sooner. | ||
| *In reality, clients may refresh more often than this model assumes, but the | ||
| above requirements will still hold.* | ||
|
|
||
| To satisfy the above model, | ||
| * `refresh_token_lifetime` should be set to `L`; and | ||
| * `refreshable_access_token_lifetime` should be set to `L - S`. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.