堆栈内存溢出
  简体   繁体   English

刷新令牌宽限期的安全隐患

[英]Security implications of refresh token grace period

 原文  2021-03-04 15:22:14       django/ oauth-2.0/ websecurity/ django-oauth-toolkit

问题描述

I have an OAuth2 server built with django-oauth-toolkit , and by default, refresh tokens are revoked immediately upon use.我有一个使用django-oauth-toolkit构建的 OAuth2 服务器,默认情况下,刷新令牌在使用时会立即被撤销。 This means that if a client requests a new access token using a refresh token but doesn't receive the response due to a network interruption they will be forced to reauthenticate.这意味着如果客户端使用刷新令牌请求新的访问令牌,但由于网络中断而没有收到响应,他们将被迫重新进行身份验证。

The library provides the setting REFRESH_TOKEN_GRACE_PERIOD_SECONDS which is an amount of time to wait between the use of a refresh token and its revocation.该库提供设置REFRESH_TOKEN_GRACE_PERIOD_SECONDS ,这是在使用刷新令牌与其撤销之间等待的时间量。 If a client uses a refresh token and does not receive the response, that original refresh token will still be valid for REFRESH_TOKEN_GRACE_PERIOD_SECONDS which allows the client to get a new access token without needing to reauthenticate.如果客户端使用刷新令牌但未收到响应,则原始刷新令牌对于REFRESH_TOKEN_GRACE_PERIOD_SECONDS仍然有效,这允许客户端无需重新验证即可获得新的访问令牌。

As far as I can tell, the purpose of immediately revoking refresh tokens upon use is to prevent replay attacks , but since this authorization server exclusively uses https, it seems this is a sufficient defense against this type of attack .据我所知,使用时立即撤销刷新令牌的目的是防止重放攻击,但由于此授权服务器专门使用 https,看来这足以防御此类攻击

Are there other vulnerabilities that can result from having a grace period for refresh token revocation?是否存在因刷新令牌撤销的宽限期而导致的其他漏洞? What would be the implications of never revoking a refresh token?从不撤销刷新令牌会有什么影响?

1 个解决方案

解决方案1
 1  2021-03-04 20:56:08

Security considerations are mentioned in the RFC 7009 https://tools.ietf.org/html/rfc7009#section-5 RFC 7009 https://tools.ietf.org/html/rfc7009#section-5中提到了安全注意事项

You can have also an attack on TLS (HTTPS) if it's not configured/managed properly (insecure TLS versions, ciphers, man in the middle, expired cert, problems with Certification authority, ...).如果 TLS (HTTPS) 配置/管理不正确(不安全的 TLS 版本、密码、中间人、证书过期、证书颁发机构问题……),您也可能会受到攻击。

You may have a problem with resource exhaustion on your server.您的服务器上的资源耗尽可能存在问题。 Refresh token needs some resources - eg memory, DB record, ...刷新令牌需要一些资源 - 例如 memory,数据库记录,...

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Model 不保存刷新令牌 - Model not saving refresh token 简单 jwt 不返回刷新令牌 - Simple jwt not returning refresh token 如何以编程方式刷新Google OAuth2令牌 - How to refresh Google OAuth2 token programatically 何时在 DRF 中的 jwt 中调用 gettoken、刷新令牌和验证令牌? - When to call gettoken, refresh token and verify token by user in jwt in DRF? 如何在重置密码时撤消刷新令牌? - How to revoke refresh token on password reset? Python Social Auth、Google 和刷新令牌 - Python Social Auth, Google, and refresh token Django-allauth OAuth2 刷新令牌 - Django-allauth OAuth2 refresh token 安全扫描期间的CSRF令牌cookie漏洞 - CSRF token cookie vulnerabilities during security scan Django Rest JWT 身份验证 - 刷新令牌 - Django Rest JWT authentication - refresh token 如何在react js中实现刷新令牌 - How to implement refresh token in react js
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM