Notes on using refresh tokens to decouple browser authentication from requesting a certificate chain

[rochlefebvre]

From Bob Callaway (sigtore Slack)

using the step CLI (https://github.com/smallstep/cli) to get the original token (note i had to add the offline_access scope in order to get a refresh token returned)

bcallaway@bcallaway01:~/git/cli$ ./step oauth --provider=https://oauth2.sigstore.dev/auth --client-id=sigstore --listen localhost:0 --scope=offline_access --scope=openid --scope=email
Your default web browser has been opened to visit:

https://oauth2.sigstore.dev/auth/auth?client_id=sigstore&code_challenge=aluzr7mxRYMJL3RoKpc4RmiV_6QhVtfE7UqyMtiEVs8&code_challenge_method=S256&nonce=4e9be4ae88b7960663afca65aae7635e178a8c456f5045a3a49e6b1d2fcf4db1&redirect_uri=http%3A%2F%2Flocalhost%3A34241&response_type=code&scope=offline_access+openid+email&state=OlBmRKFxTEQ7o37Su1V29lvIsewnLdhg

{
  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOTdjOWI4ZThhMTk3NzEwZTUyYTZiOTg4NTM3YWIwM2U0MDJjNTYifQ.eyJpc3MiOiJodHRwczovL29hdXRoMi5zaWdzdG9yZS5kZXYvYXV0aCIsInN1YiI6IkNoVXhNVGN6TmpFd05UWTBOVFkwT0RnMU9EWXlORE1TRzJoMGRIQnpPaTh2WVdOamIzVnVkSE11WjI5dloyeGxMbU52YlEiLCJhdWQiOiJzaWdzdG9yZSIsImV4cCI6MTY0MzAzNzc3MCwiaWF0IjoxNjQzMDM3NzEwLCJub25jZSI6IjRlOWJlNGFlODhiNzk2MDY2M2FmY2E2NWFhZTc2MzVlMTc4YThjNDU2ZjUwNDVhM2E0OWU2YjFkMmZjZjRkYjEiLCJhdF9oYXNoIjoiQlAwWWlWMHVBNTFKOWxhQVpMNE9sQSIsImVtYWlsIjoiYmNhbGxhd2F5QGdvb2dsZS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiZmVkZXJhdGVkX2NsYWltcyI6eyJjb25uZWN0b3JfaWQiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJ1c2VyX2lkIjoiMTE3MzYxMDU2NDU2NDg4NTg2MjQzIn19.h5wHyhhX2AVZbs9GRiAYfxeOx3IFan46B4XY2OPnwJZYh2yE2Zn3d9kmCZcFD2189VeBUyXOKoV8OZwPWHouGZq4qxYn8yqdJP2weQybVASSFtu2nDaMeavVfb5_Si9P07V8hmmEn7Gm6wxSsS0bhbvBYpj-90uF7TdEePqPfYZAyNQvEEBV2UmvZUhwt7sCwAmgvWxj6RNYyfmWeooczCUpbiDZxr0-J9K3Fpdd5qYz1mXjb5waoKDAHmWMs6xO5YA4QbvmLyMChcqnBIvBr0nrZvP4qTOS6zCNiW5R0e4u6oIEtJpMzt4BRpEUxEQJlpQ2utWpg5D39-jt-u_9qQ",
  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOTdjOWI4ZThhMTk3NzEwZTUyYTZiOTg4NTM3YWIwM2U0MDJjNTYifQ.eyJpc3MiOiJodHRwczovL29hdXRoMi5zaWdzdG9yZS5kZXYvYXV0aCIsInN1YiI6IkNoVXhNVGN6TmpFd05UWTBOVFkwT0RnMU9EWXlORE1TRzJoMGRIQnpPaTh2WVdOamIzVnVkSE11WjI5dloyeGxMbU52YlEiLCJhdWQiOiJzaWdzdG9yZSIsImV4cCI6MTY0MzAzNzc3MCwiaWF0IjoxNjQzMDM3NzEwLCJub25jZSI6IjRlOWJlNGFlODhiNzk2MDY2M2FmY2E2NWFhZTc2MzVlMTc4YThjNDU2ZjUwNDVhM2E0OWU2YjFkMmZjZjRkYjEiLCJhdF9oYXNoIjoiTjA1MGR5RGRHa3VyNk9lVUhoVE5yZyIsImNfaGFzaCI6IjBXc0dxdVMxeTVDUnB2SEJBbEk4ckEiLCJlbWFpbCI6ImJjYWxsYXdheUBnb29nbGUuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImZlZGVyYXRlZF9jbGFpbXMiOnsiY29ubmVjdG9yX2lkIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwidXNlcl9pZCI6IjExNzM2MTA1NjQ1NjQ4ODU4NjI0MyJ9fQ.aHHcJ0gL9LgER4Ud2u4NvYKEQlwWFdkGcQKtW8pYpWDCc-WvPbEaiR6woJCH8LdtnCJfnPsw8bJSJhFkD23TgIxTtAStpXjiZQbKhexl_CdLzw88HGQ-ndxpa2ckuT98Bts2XeBwP8u9fUBvSHD3y-79jornv7EDgkr8NRfCN6acEVVIWmxXV7PGUlZhv_4HoiktL3tlBkneDHLHKJUsm_kwlT41dEzGzIQFYJN4fJU-sXuWj9qYcy2fck3o8jVPgWO8cB7E4xLC4jF9wJ5dz4zBxQY4EkabsfrpkiHHeh53dUft8e9vGX9fLnxbZ-xiwR2KG5x831h7nqWoX1tmLA",
  "refresh_token": "ChlqaWVxc2RobjVkNTczankzY3Y0bjdoYTd1EhlyMzUzeWtjM3NnNHBrcHd2bmt0Mmxyd2k0",
  "expires_in": 59,
  "token_type": "bearer"
}

then

curl -X POST "https://oauth2.sigstore.dev/auth/token" -d grant_type=refresh_token -d refresh_token=ChlqaWVxc2RobjVkNTczankzY3Y0bjdoYTd1EhlyMzUzeWtjM3NnNHBrcHd2bmt0Mmxyd2k0 -d client_id=sigstore|jq .
100  2312  100  2182  100   130   8964    534 --:--:-- --:--:-- --:--:--  9475
{
  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOTdjOWI4ZThhMTk3NzEwZTUyYTZiOTg4NTM3YWIwM2U0MDJjNTYifQ.eyJpc3MiOiJodHRwczovL29hdXRoMi5zaWdzdG9yZS5kZXYvYXV0aCIsInN1YiI6IkNoVXhNVGN6TmpFd05UWTBOVFkwT0RnMU9EWXlORE1TRzJoMGRIQnpPaTh2WVdOamIzVnVkSE11WjI5dloyeGxMbU52YlEiLCJhdWQiOiJzaWdzdG9yZSIsImV4cCI6MTY0MzAzODA2MiwiaWF0IjoxNjQzMDM4MDAyLCJub25jZSI6IjRlOWJlNGFlODhiNzk2MDY2M2FmY2E2NWFhZTc2MzVlMTc4YThjNDU2ZjUwNDVhM2E0OWU2YjFkMmZjZjRkYjEiLCJhdF9oYXNoIjoiMFVrV1pqaVpDRjR5TGE4QTNTMEptZyIsImVtYWlsIjoiYmNhbGxhd2F5QGdvb2dsZS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiZmVkZXJhdGVkX2NsYWltcyI6eyJjb25uZWN0b3JfaWQiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJ1c2VyX2lkIjoiMTE3MzYxMDU2NDU2NDg4NTg2MjQzIn19.I_F774IH6rfwg3UMAHW3Rh4cFhVsBTHfNqrcFUpsFTDM_cQGQesYx9p201zm3EZwz0BZUyN8Zx9U--o9yc8OCAht-RcCHmrUC0SMx6Wo7oepy7LF8oMNibF2BdQIMlWaXXYPqHbac_NUnFxHEOLsrlf6EQGBQOywnhCrBTALnDhO6FJAmJvyWT9ebhYFOaBqJMevzTCQigxt-yHRKHs2wt_EyaCf9YuoVdiMnIbmSGynd9TAcjSCq92nNAgO7PFRPbZGYjm2gJtyS90Fhztih1Hmb_vJMXLPBLAgqnO3dXWwKGMHT-bOaS2IagcuSkZyQzMJ3R2vX4c73GQPkCA80g",
  "token_type": "bearer",
  "expires_in": 59,
  "refresh_token": "NEW_TOKEN_VALUE_REDACTED",
  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOTdjOWI4ZThhMTk3NzEwZTUyYTZiOTg4NTM3YWIwM2U0MDJjNTYifQ.eyJpc3MiOiJodHRwczovL29hdXRoMi5zaWdzdG9yZS5kZXYvYXV0aCIsInN1YiI6IkNoVXhNVGN6TmpFd05UWTBOVFkwT0RnMU9EWXlORE1TRzJoMGRIQnpPaTh2WVdOamIzVnVkSE11WjI5dloyeGxMbU52YlEiLCJhdWQiOiJzaWdzdG9yZSIsImV4cCI6MTY0MzAzODA2MiwiaWF0IjoxNjQzMDM4MDAyLCJub25jZSI6IjRlOWJlNGFlODhiNzk2MDY2M2FmY2E2NWFhZTc2MzVlMTc4YThjNDU2ZjUwNDVhM2E0OWU2YjFkMmZjZjRkYjEiLCJhdF9oYXNoIjoidkxJWHFDSV9ra0pXTVdZcU5iUk9DdyIsImVtYWlsIjoiYmNhbGxhd2F5QGdvb2dsZS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiZmVkZXJhdGVkX2NsYWltcyI6eyJjb25uZWN0b3JfaWQiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJ1c2VyX2lkIjoiMTE3MzYxMDU2NDU2NDg4NTg2MjQzIn19.hM6yKAO7EOc9igUGSFAkPqwN0nnW0OWiJTB7v_Y8AZ8qPyhxdppznmKh05IgXeCvI-rtFWJVpfsiY1buBETOX7EftoN97pdlaNZ-JnYMLaaAS4vBcBAEeJYx1JuxXcXXi60lMU3iwYfPhX9ya1CL7NLwTf6r1fV8SuEN3NqnJ37wZ-buHNU9hWLcBCGzBqI1zDYEvC6qEhK1tAzWs1NeqSF2fGCQqawIFoL0ZFd_Jdar32Xk75J9t2qt6iciPCYXNfRLV56vlrTRWLzdy-VJFYEtwgA5FBxMYeObLqMGsPtMn1qUpErhMz86IERCUdt7T-dWh1MsHGAnu28SRrkbtw"
}

Also note that for every refresh of an id token, Dex issues a new refresh token. This security measure is called refresh token rotation and prevents someone stealing it.