Each time a user logins, he get a new access_token
and a new refresh_token
.
When his access_token
is expired, he uses his refresh_token
to get a new access_token
.
If an attacker somehow gets access to his refresh_token
... then according to Oauth 2.0 documentation :
The authorization server could employ refresh token rotation in which a new refresh token is issued with every access token refresh response. The previous refresh token is invalidated but retained by the authorization server. If a refresh token is compromised and subsequently used by both the attacker and the legitimate client, one of them will present an invalidated refresh token, which will inform the authorization server of the breach.
So basically, if any refresh_token
is used twice, I will notice the attack.
But what about if the legitimate user never uses his refresh token (which was stolen by an attacker) ? The attacker will be able to login and refresh over and over without the legitimate user being able to detect it.
Sounds like a rare situation ? What if you come to my place for a dinner and login with my computer and I get your refresh_token and access_token and you will never use this refresh_token again? Nobody will ever notice the attack.
What could solve this ?