I am using OAuth2 authorization mechanism for my mobile app to access my resource server. I have defined client which has its secret, name mobile_client and uses Authorization Code Grant to obtain Refresh Token. I also have one user [email protected] who is using my app on two mobile phones. I noticed an issue with token stealing.
The scenario looks like this:
+---------------+
(Phone 1)----------- Refresh Token1----------->| Authorization |
(Phone 1)<--- Access Token1+Refresh Token2-----| Server |
+---------------+
+----------+
(Phone 1)---- Access Token1 ---->| Resource |
(Phone 1)-- Protected Resource --| Server |
+----------+
+---------------+
(Phone 2)---------- Refresh Token2 ----------->| Authorization |
(Phone 2)<--- Access Token2+Refresh Token3-----| Server |
+---------------+
+----------+
(Phone 1)---- Access Token1 --->| Resource |
(Phone 1)<- 401 TOKEN EXPIRED! | Server |
+----------+
It looks like [email protected] on Phone 1 and Phone 2 received the same Refresh Token from my Authorization Server for calls with the same app and username. This in the end caused that the second call refreshed Access Token on the Phone 1 as well.
Is that a proper behavior of Authorization Server?
I use Spring Security Oauth2 2.3.3.RELEASE and Spring Security 5.1.0.RELEASE
Edit
As I see in Google oauth2 specification they provide more refresh tokens per user so this should be configured somehow in Spring.
There is currently a limit of 50 refresh tokens per user account per client. If the limit is reached, creating a new refresh token automatically invalidates the oldest refresh token without warning.
