Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Delete refresh tokens by user ID before login #5

Open
BranislavLazic opened this issue Dec 22, 2021 · 0 comments
Open

Delete refresh tokens by user ID before login #5

BranislavLazic opened this issue Dec 22, 2021 · 0 comments

Comments

@BranislavLazic
Copy link

BranislavLazic commented Dec 22, 2021

Consider the scenario:

  • Attacker obtains a refresh token
  • After an access token expires, attacker uses the refresh token to issue new access and refresh tokens (user still has the old one)
  • User's client tries to obtain a new access token by presenting its own refresh token and it fails
  • The stolen token cannot be revoked

Possible solutions:

  • Delete the refresh token by user id during login
    This way all refresh tokens that belong to a user are invalidated

Scenario:

  • Attacker obtains a refresh token and issues a new access and refresh token (rotated and a user still has the old one)
  • User's client tries to obtain a new access token by presenting an invalid refresh token - it fails because user's token does not exist in a data store
  • User tries to login, invalidates all existing refresh tokens (including attacker's refresh token), and creates a new pair of tokens.

P.S. Also, as far as I see, logout should be possible only if the user has a valid access token. Maybe, the better solution would be to require refresh token to perform logout. Why? Because why unnecessarily generate a new access token just to logout. If the refresh token is valid, we revoke tokens. If not, nothing to care about if we ensure that an access token lifespan is shorter than a lifespan of a refresh token (both expired).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant