I'm trying to understand what happens if a refresh token gets stolen and the real user doesn't attempt to refresh it until after the token expires. Let's say we have a setup where a user can log in on several devices or browsers, creating multiple refresh token chains. Here's the flow I'm considering:
1. The real user (let's call them RA) logs in and receives an access token (AT1) and a refresh token (RT1), both stored securely in HTTP cookies. RT1 is also stored in the database for tracking purposes.
2. A malicious actor (MA) steals RT1 and uses it right away to refresh the access token, receiving AT2 and RT2. The database is updated with RT2 while RT1 is marked as revoked.
3. MA acts maliciously, receiving several new access tokens (up to AT7) while the older refresh tokens (RT2 to RT6) are revoked.
4. Meanwhile, RA doesn't do anything until RT1 expires.
I understand that if RA uses RT1 before it expires, we can detect it's been revoked and take action. However, if RA waits until it has expired, they will be forced to sign in again, get a new refresh token, and start a new refresh token chain while the malicious actor's tokens remain valid.
What am I missing about this scenario?
Also, do you think it's better to have the cookie that stores the refresh token (probably a JWT) not expire to avoid this issue? If that's the case, can we skip the verification of the JWT's expiration when checking for re-use? Finally, if RA never interacts again or uses a new device, can we prevent the malicious actor from continuing their actions without RA hitting a 'log out of all devices' button?
4 Answers
With standard refresh token rotation, if an attacker gets hold of the refresh token and keeps refreshing it, their access will stay valid until it's revoked or reaches its expiration. The cookie expiration on the victim's device won't affect the attacker since they already have a valid refresh token. It's essential to use rotating, server-stored refresh tokens with a family record and enforce absolute lifetimes along with tracking refresh attempts by device or location.
Honestly, it’s kind of a user problem if their tokens get stolen, right? That usually means a serious breach, possibly requiring access to the user's device. If security is crucial, consider using sessions and a way to track activities. But even then, if the device itself is compromised, it's tough.
Exactly! The main risk comes from that 15-minute window where the access token (AT1) is still valid. If the real user doesn't send RT1 and AT1 back to refresh before AT1 expires, the system won't detect the invalidated RT1, allowing the attacker to continue their activity until the absolute expiry or manual revocation.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads