Security implications of refresh token grace period
Question
I have an OAuth2 server built with django-oauth-toolkit , and by default, refresh tokens are revoked immediately upon use. This means that if a client requests a new access token using a refresh token but doesn't receive the response due to a network interruption they will be forced to reauthenticate.
The library provides the setting REFRESH_TOKEN_GRACE_PERIOD_SECONDS which is an amount of time to wait between the use of a refresh token and its revocation. If a client uses a refresh token and does not receive the response, that original refresh token will still be valid for REFRESH_TOKEN_GRACE_PERIOD_SECONDS which allows the client to get a new access token without needing to reauthenticate.
As far as I can tell, the purpose of immediately revoking refresh tokens upon use is to prevent replay attacks , but since this authorization server exclusively uses https, it seems this is a sufficient defense against this type of attack .
Are there other vulnerabilities that can result from having a grace period for refresh token revocation? What would be the implications of never revoking a refresh token?
1 answers
solution1
1 2021-03-04 20:56:08
Security considerations are mentioned in the RFC 7009 https://tools.ietf.org/html/rfc7009#section-5
You can have also an attack on TLS (HTTPS) if it's not configured/managed properly (insecure TLS versions, ciphers, man in the middle, expired cert, problems with Certification authority, ...).
You may have a problem with resource exhaustion on your server. Refresh token needs some resources - eg memory, DB record, ...
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.