How do OAuth servers deal with a `refresh_token` requested multiple times? The 2019 Stack...
Ubuntu Server install with full GUI
What information about me do stores get via my credit card?
Is it ok to offer lower paid work as a trial period before negotiating for a full-time job?
What is preventing me from simply constructing a hash that's lower than the current target?
Why not take a picture of a closer black hole?
What could be the right powersource for 15 seconds lifespan disposable giant chainsaw?
What is this business jet?
Why can I use a list index as an indexing variable in a for loop?
Can we generate random numbers using irrational numbers like π and e?
Will it cause any balance problems to have PCs level up and gain the benefits of a long rest mid-fight?
"as much details as you can remember"
The phrase "to the numbers born"?
Kerning for subscripts of sigma?
Why is this code so slow?
Why does the nucleus not repel itself?
A female thief is not sold to make restitution -- so what happens instead?
Why doesn't shell automatically fix "useless use of cat"?
Why didn't the Event Horizon Telescope team mention Sagittarius A*?
Geography at the pixel level
Did any laptop computers have a built-in 5 1/4 inch floppy drive?
Old scifi movie from the 50s or 60s with men in solid red uniforms who interrogate a spy from the past
Can a flute soloist sit?
How can I define good in a religion that claims no moral authority?
Getting crown tickets for Statue of Liberty
How do OAuth servers deal with a `refresh_token` requested multiple times?
The 2019 Stack Overflow Developer Survey Results Are InApache2 filtering Auth headersSupport for refresh tokens in ADFS 2.2 OAuth flowDo I need my own oauth and/or openid connect providerUse a physical cryptographic token with OpenVPN community (free) versionSecuring APIs with oAuthPuTTY slow connecting to Linux SSH serverAdfs 3.0 Redirect Uri Length LimitHow to only allow access to nginx with active, established ssh connection?PKI Authentication in HTTPD using Active Directory (LDAP)ADFS: Convert SAML Assertion to OAuth Token?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
In the OAuth2 authentication process refresh tokens should be used only once. When the refresh_token is used it will return a new access_token and a new refresh_token.
This is also in the RFC6819 spec:
5.2.2.3. Refresh Token Rotation
Refresh token rotation is intended to automatically detect and
prevent attempts to use the same refresh token in parallel from
different apps/devices. This happens if a token gets stolen from the
client and is subsequently used by both the attacker and the
legitimate client. The basic idea is to change the refresh token
value with every refresh request in order to detect attempts to
obtain access tokens using old refresh tokens. Since the
authorization server cannot determine whether the attacker or the
legitimate client is trying to access, in case of such an access
attempt the valid refresh token and the access authorization
associated with it are both revoked.
The OAuth specification supports this measure in that the token's
response allows the authorization server to return a new refresh
token even for requests with grant type "refresh_token".
Note: This measure may cause problems in clustered environments,
since usage of the currently valid refresh token must be ensured. In
such an environment, other measures might be more appropriate.
This also allows the authentication server to recognize that a refresh_token was compromised, since it should only be used once. If a new renew request with the same refresh_token comes in the authentication server knows there is something fishy going on.
I wonder what is the proper way for the server to deal with such a scenario though? My guess would be that at least all the access_tokens for that particular client should be invalidated directly.
How do OAuth2 servers usually deal with multiple requests using the same refresh_token?
authentication oauth token
asked Dec 21 '16 at 9:59
WiltWilt
288410
add a comment |
In the OAuth2 authentication process refresh tokens should be used only once. When the refresh_token is used it will return a new access_token and a new refresh_token.
This is also in the RFC6819 spec:
5.2.2.3. Refresh Token Rotation
Refresh token rotation is intended to automatically detect and
prevent attempts to use the same refresh token in parallel from
different apps/devices. This happens if a token gets stolen from the
client and is subsequently used by both the attacker and the
legitimate client. The basic idea is to change the refresh token
value with every refresh request in order to detect attempts to
obtain access tokens using old refresh tokens. Since the
authorization server cannot determine whether the attacker or the
legitimate client is trying to access, in case of such an access
attempt the valid refresh token and the access authorization
associated with it are both revoked.
The OAuth specification supports this measure in that the token's
response allows the authorization server to return a new refresh
token even for requests with grant type "refresh_token".
Note: This measure may cause problems in clustered environments,
since usage of the currently valid refresh token must be ensured. In
such an environment, other measures might be more appropriate.
This also allows the authentication server to recognize that a refresh_token was compromised, since it should only be used once. If a new renew request with the same refresh_token comes in the authentication server knows there is something fishy going on.
I wonder what is the proper way for the server to deal with such a scenario though? My guess would be that at least all the access_tokens for that particular client should be invalidated directly.
How do OAuth2 servers usually deal with multiple requests using the same refresh_token?
authentication oauth token
asked Dec 21 '16 at 9:59
WiltWilt
288410
add a comment |
In the OAuth2 authentication process refresh tokens should be used only once. When the refresh_token is used it will return a new access_token and a new refresh_token.
This is also in the RFC6819 spec:
5.2.2.3. Refresh Token Rotation
Refresh token rotation is intended to automatically detect and
prevent attempts to use the same refresh token in parallel from
different apps/devices. This happens if a token gets stolen from the
client and is subsequently used by both the attacker and the
legitimate client. The basic idea is to change the refresh token
value with every refresh request in order to detect attempts to
obtain access tokens using old refresh tokens. Since the
authorization server cannot determine whether the attacker or the
legitimate client is trying to access, in case of such an access
attempt the valid refresh token and the access authorization
associated with it are both revoked.
The OAuth specification supports this measure in that the token's
response allows the authorization server to return a new refresh
token even for requests with grant type "refresh_token".
Note: This measure may cause problems in clustered environments,
since usage of the currently valid refresh token must be ensured. In
such an environment, other measures might be more appropriate.
This also allows the authentication server to recognize that a refresh_token was compromised, since it should only be used once. If a new renew request with the same refresh_token comes in the authentication server knows there is something fishy going on.
I wonder what is the proper way for the server to deal with such a scenario though? My guess would be that at least all the access_tokens for that particular client should be invalidated directly.
How do OAuth2 servers usually deal with multiple requests using the same refresh_token?
authentication oauth token
asked Dec 21 '16 at 9:59
WiltWilt
288410
In the OAuth2 authentication process refresh tokens should be used only once. When the refresh_token is used it will return a new access_token and a new refresh_token.
This is also in the RFC6819 spec:
5.2.2.3. Refresh Token Rotation
Refresh token rotation is intended to automatically detect and
prevent attempts to use the same refresh token in parallel from
different apps/devices. This happens if a token gets stolen from the
client and is subsequently used by both the attacker and the
legitimate client. The basic idea is to change the refresh token
value with every refresh request in order to detect attempts to
obtain access tokens using old refresh tokens. Since the
authorization server cannot determine whether the attacker or the
legitimate client is trying to access, in case of such an access
attempt the valid refresh token and the access authorization
associated with it are both revoked.
The OAuth specification supports this measure in that the token's
response allows the authorization server to return a new refresh
token even for requests with grant type "refresh_token".
Note: This measure may cause problems in clustered environments,
since usage of the currently valid refresh token must be ensured. In
such an environment, other measures might be more appropriate.
This also allows the authentication server to recognize that a refresh_token was compromised, since it should only be used once. If a new renew request with the same refresh_token comes in the authentication server knows there is something fishy going on.
I wonder what is the proper way for the server to deal with such a scenario though? My guess would be that at least all the access_tokens for that particular client should be invalidated directly.
How do OAuth2 servers usually deal with multiple requests using the same refresh_token?
authentication oauth token
authentication oauth token
asked Dec 21 '16 at 9:59
WiltWilt
288410
asked Dec 21 '16 at 9:59
WiltWilt
288410
edited Dec 21 '16 at 15:43
Wilt
asked Dec 21 '16 at 9:59
WiltWilt
288410
asked Dec 21 '16 at 9:59
WiltWilt
288410
asked Dec 21 '16 at 9:59
WiltWilt
288410
288410
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Access tokens invalidation
You cannot invalidate all access tokens for particular client_id. The client_id is usually bound to one application, but this app is used by more users. And even one user may use same app from different devices. The refresh token creates a kind of session - it must by unique for a particular app, user and device. Furthermore, a client may call refresh token with a narrower scope and in this case you do not want to invalidate the old access token with wider scope - the client may still use it.
With my limited experience, the OAuth servers do not invalidate the access tokens on the refresh token call. Access tokens are short lived, they just expire in time.
Refresh token multiple requests
See RFC6819 section 6: The authorization server MAY issue a new refresh token ... The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client.
The spec. allow some freedom, so the implementations vary. The very secure implementation is to issue a new refresh token and invalidate the old one each time. But this makes troubles with concurrent calls (e.g. a multi threaded apps). So some servers has just one long lasting refresh tokens (simple implementation, less secure). Others keeps valid the old refresh token a short time (e.g. 2 min) after the new refresh token is issued.
answered 6 mins ago
xmedekoxmedeko
1085
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f821992%2fhow-do-oauth-servers-deal-with-a-refresh-token-requested-multiple-times%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Access tokens invalidation
You cannot invalidate all access tokens for particular client_id. The client_id is usually bound to one application, but this app is used by more users. And even one user may use same app from different devices. The refresh token creates a kind of session - it must by unique for a particular app, user and device. Furthermore, a client may call refresh token with a narrower scope and in this case you do not want to invalidate the old access token with wider scope - the client may still use it.
With my limited experience, the OAuth servers do not invalidate the access tokens on the refresh token call. Access tokens are short lived, they just expire in time.
Refresh token multiple requests
See RFC6819 section 6: The authorization server MAY issue a new refresh token ... The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client.
The spec. allow some freedom, so the implementations vary. The very secure implementation is to issue a new refresh token and invalidate the old one each time. But this makes troubles with concurrent calls (e.g. a multi threaded apps). So some servers has just one long lasting refresh tokens (simple implementation, less secure). Others keeps valid the old refresh token a short time (e.g. 2 min) after the new refresh token is issued.
answered 6 mins ago
xmedekoxmedeko
1085
add a comment |
Access tokens invalidation
You cannot invalidate all access tokens for particular client_id. The client_id is usually bound to one application, but this app is used by more users. And even one user may use same app from different devices. The refresh token creates a kind of session - it must by unique for a particular app, user and device. Furthermore, a client may call refresh token with a narrower scope and in this case you do not want to invalidate the old access token with wider scope - the client may still use it.
With my limited experience, the OAuth servers do not invalidate the access tokens on the refresh token call. Access tokens are short lived, they just expire in time.
Refresh token multiple requests
See RFC6819 section 6: The authorization server MAY issue a new refresh token ... The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client.
The spec. allow some freedom, so the implementations vary. The very secure implementation is to issue a new refresh token and invalidate the old one each time. But this makes troubles with concurrent calls (e.g. a multi threaded apps). So some servers has just one long lasting refresh tokens (simple implementation, less secure). Others keeps valid the old refresh token a short time (e.g. 2 min) after the new refresh token is issued.
answered 6 mins ago
xmedekoxmedeko
1085
add a comment |
Access tokens invalidation
You cannot invalidate all access tokens for particular client_id. The client_id is usually bound to one application, but this app is used by more users. And even one user may use same app from different devices. The refresh token creates a kind of session - it must by unique for a particular app, user and device. Furthermore, a client may call refresh token with a narrower scope and in this case you do not want to invalidate the old access token with wider scope - the client may still use it.
With my limited experience, the OAuth servers do not invalidate the access tokens on the refresh token call. Access tokens are short lived, they just expire in time.
Refresh token multiple requests
See RFC6819 section 6: The authorization server MAY issue a new refresh token ... The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client.
The spec. allow some freedom, so the implementations vary. The very secure implementation is to issue a new refresh token and invalidate the old one each time. But this makes troubles with concurrent calls (e.g. a multi threaded apps). So some servers has just one long lasting refresh tokens (simple implementation, less secure). Others keeps valid the old refresh token a short time (e.g. 2 min) after the new refresh token is issued.
answered 6 mins ago
xmedekoxmedeko
1085
Access tokens invalidation
You cannot invalidate all access tokens for particular client_id. The client_id is usually bound to one application, but this app is used by more users. And even one user may use same app from different devices. The refresh token creates a kind of session - it must by unique for a particular app, user and device. Furthermore, a client may call refresh token with a narrower scope and in this case you do not want to invalidate the old access token with wider scope - the client may still use it.
With my limited experience, the OAuth servers do not invalidate the access tokens on the refresh token call. Access tokens are short lived, they just expire in time.
Refresh token multiple requests
See RFC6819 section 6: The authorization server MAY issue a new refresh token ... The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client.
The spec. allow some freedom, so the implementations vary. The very secure implementation is to issue a new refresh token and invalidate the old one each time. But this makes troubles with concurrent calls (e.g. a multi threaded apps). So some servers has just one long lasting refresh tokens (simple implementation, less secure). Others keeps valid the old refresh token a short time (e.g. 2 min) after the new refresh token is issued.
answered 6 mins ago
xmedekoxmedeko
1085
answered 6 mins ago
xmedekoxmedeko
1085
answered 6 mins ago
xmedekoxmedeko
1085
answered 6 mins ago
xmedekoxmedeko
1085
1085
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f821992%2fhow-do-oauth-servers-deal-with-a-refresh-token-requested-multiple-times%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
