10

I'm building an oauth 2.0 protocol. I'm wondering how the refresh token works exactly.

My understanding is that the use of a refresh token enable short lived access token and therefore limits the vulnerability of those access tokens. Great so far. Once an access token expires, you somehow use the refresh token to get a new access token.

I'm wondering how that last part happens exactly (without interrupting the user flow by logging them out):

  • to secure the transaction, should it be required that the app id and app secret are sent along the refresh token, to ensure the identity of the requester?
    • if so, it sounds like you don't want to store an app secret on a client (web or mobile app or other) so how can you do that without logging out the user?
    • if not, what is the point of the refresh token if you can't use it to verify the requester identity? And is it ok to store the refresh token in a client?
Guig
  • 201
  • 1
  • 2
  • 4
  • There are a couple of answers here https://security.stackexchange.com/questions/113296/where-should-i-store-oauth2-access-tokens that may help you about your question. Although I am thinking that there aren't any clean solutions to that problem. – Alexis Wilke Aug 25 '17 at 17:22

1 Answers1

5

Compromise of refresh token would cause more harm than compromise of access token.

You can employ various techniques to make it more secure.

You can get the idea by learning about one of the standard technique which is recommended for "The OAuth 2.0 Authorization Framework". Please refer the RFC.

You can separate the concern of access and authorization by maintaining separate resource server and authorization server. You can use only access token (and not refresh token) to access resource. You can use only refresh token (and not access token) to communicate with authorization server. This mitigates the risk of refresh token getting compromised.

Secondly, it is easier to detect if refresh token is compromised. Let's say a refresh token is comprised and is used to generate new access tokens. Once this refresh token is revoked, all the access tokens generated already and latter will get invalidated. As such only 1 party will be able to access the resources using access tokens generated using the single valid refresh token. If multiple users are participated, they will go on invalidating each other. In the process detection of refresh token compromise gets easy.

enter image description here

Community
  • 1
Manojkumar Khotele
  • 179
  • 1
  • 6
  • 2
    Access tokens CANNOT be invalidated. Once issued they are forever valid until the expiration is reached or the token is tampered with. Revoking refresh tokens does not influence access tokens. – David Carek Jul 17 '19 at 15:53
  • Access and Refresh tokens relationship during revocation are defined accordingly to the Authorization Server documentation and its implementation. We cannot assume all AS are similarly implemented, and the RFC is open for different use cases ( AT revocation is possible, and/or AT are revoked when RT is revoked also) – Doomsday May 04 '20 at 14:49