You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After an access token expires, attacker uses the refresh token to issue new access and refresh tokens (user still has the old one)
User's client tries to obtain a new access token by presenting its own refresh token and it fails
The stolen token cannot be revoked
Possible solutions:
Delete the refresh token by user id during login
This way all refresh tokens that belong to a user are invalidated
Scenario:
Attacker obtains a refresh token and issues a new access and refresh token (rotated and a user still has the old one)
User's client tries to obtain a new access token by presenting an invalid refresh token - it fails because user's token does not exist in a data store
User tries to login, invalidates all existing refresh tokens (including attacker's refresh token), and creates a new pair of tokens.
P.S. Also, as far as I see, logout should be possible only if the user has a valid access token. Maybe, the better solution would be to require refresh token to perform logout. Why? Because why unnecessarily generate a new access token just to logout. If the refresh token is valid, we revoke tokens. If not, nothing to care about if we ensure that an access token lifespan is shorter than a lifespan of a refresh token (both expired).
The text was updated successfully, but these errors were encountered:
Consider the scenario:
Possible solutions:
This way all refresh tokens that belong to a user are invalidated
Scenario:
P.S. Also, as far as I see, logout should be possible only if the user has a valid access token. Maybe, the better solution would be to require refresh token to perform logout. Why? Because why unnecessarily generate a new access token just to logout. If the refresh token is valid, we revoke tokens. If not, nothing to care about if we ensure that an access token lifespan is shorter than a lifespan of a refresh token (both expired).
The text was updated successfully, but these errors were encountered: