1
votes

Each time a user logins, he get a new access_token and a new refresh_token.

When his access_token is expired, he uses his refresh_token to get a new access_token.

If an attacker somehow gets access to his refresh_token... then according to Oauth 2.0 documentation :

The authorization server could employ refresh token rotation in which a new refresh token is issued with every access token refresh response. The previous refresh token is invalidated but retained by the authorization server. If a refresh token is compromised and subsequently used by both the attacker and the legitimate client, one of them will present an invalidated refresh token, which will inform the authorization server of the breach.

So basically, if any refresh_token is used twice, I will notice the attack.

But what about if the legitimate user never uses his refresh token (which was stolen by an attacker) ? The attacker will be able to login and refresh over and over without the legitimate user being able to detect it.

Sounds like a rare situation ? What if you come to my place for a dinner and login with my computer and I get your refresh_token and access_token and you will never use this refresh_token again? Nobody will ever notice the attack.

What could solve this ?

1

1 Answers

0
votes

Each time a user logins, he get a new access_token and a new refresh_token

The client application gets these tokens, not the end-user.

The attacker will be able to login and refresh over and over without the legitimate user being able to detect it

To make any use of a refresh token you need the client's secret too.

What if you come to my place for a dinner and login with my computer

I would never do that. I'm not that rude :) What's for dinner?