Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refresh token reuse detection #1404

Open
soerface opened this issue Feb 29, 2024 · 1 comment
Open

Refresh token reuse detection #1404

soerface opened this issue Feb 29, 2024 · 1 comment
Labels
enhancement

Comments

@soerface
Copy link

soerface commented Feb 29, 2024
edited

Is your feature request related to a problem? Please describe.
I want to increase security by detecting reuse of old refresh tokens. Scenario:

  • A malicious actor steals the refresh token of a user
  • The malicious actor uses the refresh token to get a new access & refresh token
  • The user tries to use the refresh token to get a new access & refresh token
  • The user's request is denied because they used an outdated refresh token
  • The malicious actor is still logged in

Describe the solution you'd like
In case an old refresh token is used (taking REFRESH_TOKEN_GRACE_PERIOD_SECONDS into consideration), not only should it be rejected, but also the whole token family should be invalidated.

The implementation should be according to the RFC: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-25#section-4.14.2-5.2.2

Refresh token rotation: the authorization server issues a new refresh token with every access token refresh response. The previous refresh token is invalidated but information about the relationship is retained by the authorization server. If a refresh token is compromised and subsequently used by both the attacker and the legitimate client, one of them will present an invalidated refresh token, which will inform the authorization server of the breach. The authorization server cannot determine which party submitted the invalid refresh token, but it will revoke the active refresh token. This stops the attack at the cost of forcing the legitimate client to obtain a fresh authorization grant.

Implementation note: The grant to which a refresh token belongs may be encoded into the refresh token itself. This can enable an authorization server to efficiently determine the grant to which a refresh token belongs, and by extension, all refresh tokens that need to be revoked. Authorization servers MUST ensure the integrity of the refresh token value in this case, for example, using signatures.

Additional context
@n2ygk
Copy link
Member

n2ygk commented May 20, 2024

This sounds great and a PR would be greatly appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@soerface @n2ygk