|By Francois Lascelles||
|February 6, 2013 03:55 PM EST||
Are you a token distributor? If you provide an API, you probably are.
One thing I like about tokens is that when they are compromised, your credentials are unaffected. Unfortunately, it doesn’t work so well the other way around. When your password is compromised, you should assume the attacker could get access tokens to act on your behalf too.
In his post The dilemma of the oauth token collector, and in this twitter conversation, Nishant and friends comment on the recent twitter hack and discuss the pros and cons of instantly revoking all access tokens when a password is compromised.
I hear the word of caution around automatically revoking all tokens at the first sign of a credential being compromised but in a mobile world where UX is sacred and where each tapping of password can be a painful process, partial token revocation shouldn’t automatically be ruled out.
Although, as Nishant suggests, “it is usually hard to pinpoint the exact time at which an account got compromised”, you may know that it happened within a range and use the worse case scenario. I’m not saying that was necessarily the right thing to do in reaction to twitter’s latest incident but only revoking tokens that were issued after the earliest time the hack could have taken place is a valid approach that needs to be considered. The possibility of doing this allows the api provider to mitigate the UX impact and helps avoid service interruptions (yes I know UX would be best served by preventing credentials being compromised in the first place).
Of course, acting at that level requires token governance. The ability to revoke tokens is essential to the api proviver. Any token management solution being developed today should pay great attention it. Providing a GUI to enable token revocation is a start but a token management solution should expose an API through which tokens can be revoked too. This lets existing portals and ops tooling programmatically act on token revocation. Tokens need to be easily revoked per user, per application, per creation date, per scope, etc, and per combination of any of these.
Are you a token distributor? You should think hard about token governance. You also think hard about scaling, security, integration to exiting identity assets and interop among other things. We’re covering these and more in this new eBook : 5 OAuth Essentials For APi Access Control. Check it out.
Apr. 30, 2016 05:30 PM EDT Reads: 688
Apr. 30, 2016 04:45 PM EDT Reads: 1,044
Apr. 30, 2016 04:45 PM EDT Reads: 990
Apr. 30, 2016 04:45 PM EDT Reads: 577
Apr. 30, 2016 04:15 PM EDT Reads: 1,034
Apr. 30, 2016 04:15 PM EDT Reads: 1,663
Apr. 30, 2016 03:15 PM EDT Reads: 723
Apr. 30, 2016 02:30 PM EDT Reads: 1,700
Apr. 30, 2016 02:15 PM EDT Reads: 1,447
Apr. 30, 2016 01:15 PM EDT Reads: 656
Apr. 30, 2016 01:15 PM EDT Reads: 1,523
Apr. 30, 2016 12:45 PM EDT Reads: 1,692
Apr. 30, 2016 12:00 PM EDT Reads: 2,283
Apr. 30, 2016 11:30 AM EDT Reads: 1,463
Apr. 30, 2016 11:15 AM EDT Reads: 881
Apr. 30, 2016 11:00 AM EDT Reads: 911
Apr. 30, 2016 11:00 AM EDT Reads: 878
Apr. 30, 2016 11:00 AM EDT Reads: 861
Apr. 30, 2016 10:00 AM EDT Reads: 700
Apr. 30, 2016 09:45 AM EDT Reads: 2,553