5

The scenario is: you have refresh token that is valid for a longer period of time and an access token that is valid for a shorter period of time.

The setup: There is a client, application server and authentication server.

  • The client stores the access token.
  • The application server stores the refresh token.
  • The authentication server hands out the refresh + access token.

One of the advantages is that a stolen access token can only be used for the time it is valid.

Say a hacker steals the access token that is valid for 30 minutes. When the hacker makes a request with the valid but expired stolen access token after 30 minutes, the application server refreshes it with the refresh token, thus the hacker gaining a new valid and not expired access token.

How can this be prevented?

Arthur
  • 71
  • 5
  • Hey @Arthur. If you have found the any best solution to this question, please tell me.I am very confused for this line and how to prevent this? :--> `Say a hacker steals the access token that is valid for 30 minutes. When the hacker makes a request with the valid but expired stolen access token after 30 minutes, the application server refreshes it with the refresh token, thus the hacker gaining a new valid and not expired access token.` – Pradip Kachhadiya Feb 22 '21 at 14:39

2 Answers2

1

An application server should not have the refresh token.

In OAuth2.0 the client should store the refresh token.

To use the refresh token to mint a new access token, the client should present the refresh token (along with the client id and secret) to the authorisation server.

iandayman
  • 4,357
  • 31
  • 38
0

There is no way to stop the hacker from refreshing the token unless

  1. The original user reset the password and the AUTH server deleted all the previous refresh tokens.

  2. Reduce the validity time of refresh token closer to the validity of the accesstoken.

In both the cases we are relying on invalidating the refresh token.

winter
  • 148
  • 1
  • 5