0

I am currently testing a website that appears to make a refresh token request every time I focus away from the web browser and back, or away from the tab the website is open in and back to it. I've confirmed these requests are refreshing my access token. My question is whether this poses an additional security risk or not. My initial thought is it's not a good idea to have a ton of valid tokens floating around, but I'm not certain that this implementation gives an attacker any larger window to steal an access token than he would already have with any method already available to get his hands on an access token.

Edit: the tokens are actually being regenerated in this case, though it appears if this had been a refresh token, this would be okay, though unnecessary.

jaredad7
  • 173
  • 8
  • Refresh token are invalided upon rotation (or at least should be). As soon as refresh token `R.n` gets exchanged for another access token it will be replaced with another refresh token `R.n+1` which will be used for the next request. The authorization server should not accept `R.n` at this point any more despite valid lifetime (or `R.n-1`, `R.n-2`, etc.). At this point it doesn't really matter if there are multiple long-lived refresh tokens floating around in your browser, as only the latest one is valid. – Beltway Sep 28 '21 at 14:16

1 Answers1

1

Yes, this is insecure.

By refreshing the token every time an action is performed, an attacker who stole a token once can essentially enable them to remain authenticated forever.

Section 6 of this answer explains this in more detail. Here are some of the most important snippets:

In fact, if the token is regenerated every time you do something in the app, then you can use one token to generate infinitely many new tokens, and then use those tokens to generate even more. One an attacker has gained access to one token, they can never be stopped again.

This is obviously a bad thing, and can be prevented easily. Give your users two tokens: A refresh token and an access token. The access token should have a small, but still usable expiration window (between 15 and 120 minutes). The refresh token should have a longer validity. If you expect the user to remain authenticated, as is usual with most web applications (Stack Exchange, Twitter, etc...), then the refresh token may last several months to a year.

  • The app is using a refresh token, it's just refreshing much more often than required. The access tokens aren't being regenerated. – jaredad7 Sep 28 '21 at 14:16
  • @jaredad7 That's not how it's supposed to be designed. Refresh tokens should be long-lived and rarely used. Access tokens should be short lived and only be used to access data. –  Sep 28 '21 at 14:25
  • @MechMk1 But is it really that much of an issue if refresh token renewal/rotation is enforced properly? If access token lifetime is set to 5 minutes, you will have a request to refresh every five minutes during a long lived session. The behaviour OP describes just adds one (arguably unnecessary) call to this chain- – Beltway Sep 28 '21 at 14:28
  • 1
    @MechMK1 your response got me thinking, I had thought at first these were ordinary refresh calls since they were sending back new tokens, but I've confirmed these are actually being regenerated, so it's a much bigger problem than I thought. – jaredad7 Sep 28 '21 at 14:37