1

I am working on an a security module for an application, using google's oauth 2.0 access token using what's being suggested in the section "Obtaining OAuth 2.0 access tokens" on this article :https://developers.google.com/identity/protocols/OAuth2WebServer

I am storing the access_token received as part of the step 5 in the article above, "Step 5: Exchange authorization code for refresh and access tokens".

Lets say that the user goes to any google web app in the browser and logs out, I understand that google's session is invalid at that point that's fine and that is the session which the access_token i have stored was generated for, then, lets say that in that moment the user was logged into my app and my app's session expired so the problem is that if my app's session expires and the user goes to my app, my app will try to validate the access token ( i want to maintain my app's session somewhat align with the google session as long as the google session is alive ) but this service https://www.googleapis.com/oauth2/v2/tokeninfo does not intermediately reflect that the access_token i have in my app is invalid, it takes a lot of minutes to reflect that the user has logged out and the access token is not valid.

Please excuse my long explanation and i expect it is clear.

Now my question is, what google rest/service provides a better validation for the access_token?

anyei
  • 56
  • 1
  • 5

1 Answers1

0

I think you have a wrong assumption that an access token (and a refresh token) is bound to the session that was used when authenticating the user. I tried to find some info about it, but didn't succeed. There may be multiple sessions - for example in different browsers. If you log out in one browser, the other stays logged in, so there is probably no "global sign out" that would terminate all sessions of the user.

If the tokens were invalidated on the browser session logout, it would make the applications using the tokens fragile. For example mobile or desktop applications that use a browser just for authentication and don't use to keep the browser window open after successful authentication, so they cannot keep the browser session alive. Their tokens would get invalidated with the session expiration.

Google doesn't seem to provide OpenID Connect session management features in their discovery document, so you cannot monitor the session using iframes either (as described in the RFC).

Ján Halaša
  • 8,167
  • 1
  • 36
  • 36
  • Jan, if you want do this test. Create a simple web application that uses google oauth 2.0 for authentication, and set your app's session life time to 5 minutes. Log into your app using google's oauth 2.0. Then go to your google account and logout. After you do that then use the access token generated to do some get request to this service https://www.googleapis.com/oauth2/v2/tokeninfo, you will notice that after couple of minutes the access token you generated with that session is no longer valid. – anyei Jul 24 '17 at 14:17
  • @anyei, Jan is correct. The Access Token is not bound to the session which the user used to authenticate himself. I suspect what you are seeing is simply the Access Token expiring after 1 hour. You need to rethink your security model. – pinoyyid Jul 24 '17 at 16:42
  • I see, then that is sad.. i'm evaluating several oauth 2.0 authenticator providers, so far the facebook provide a way to validate that exact scenario, for instance doing GET graph.facebook.com/debug_token? input_token={token-to-inspect} &access_token={app-token-or-admin-token} I can get a json with a property "is_valid" which tells me if the access token being evaluated is valid or not, further more, it gives me even the reason of why is the token invalid. – anyei Jul 25 '17 at 14:44
  • Just for further explanation, here an example of facebook's token debugging response : {app_id=myappid, application=myapplabel, error={code=190, message=Error validating access token: The session is invalid because the user logged out., subcode=467}, expires_at=1500998400, is_valid=false, scopes=(public_profile), user_id=fbuserid} – anyei Jul 25 '17 at 14:46
  • jan, pinoyyid thanks for your answers, i will for sure change the approach at least for google's api (actually so far linkedin has the same scenario tho, the only one of the oauth providers i have reviewed with such "token validation verification" functionality thus far is facebook) – anyei Jul 25 '17 at 14:54
  • Thanks anyei for the info, being aware of these differences may be useful. – Ján Halaša Jul 25 '17 at 18:37