1

I have an OAuth2 server built with django-oauth-toolkit, and by default, refresh tokens are revoked immediately upon use. This means that if a client requests a new access token using a refresh token but doesn't receive the response due to a network interruption they will be forced to reauthenticate.

The library provides the setting REFRESH_TOKEN_GRACE_PERIOD_SECONDS which is an amount of time to wait between the use of a refresh token and its revocation. If a client uses a refresh token and does not receive the response, that original refresh token will still be valid for REFRESH_TOKEN_GRACE_PERIOD_SECONDS which allows the client to get a new access token without needing to reauthenticate.

As far as I can tell, the purpose of immediately revoking refresh tokens upon use is to prevent replay attacks, but since this authorization server exclusively uses https, it seems this is a sufficient defense against this type of attack.

Are there other vulnerabilities that can result from having a grace period for refresh token revocation? What would be the implications of never revoking a refresh token?

Akif
  • 6,018
  • 3
  • 41
  • 44
jczaplew
  • 1,715
  • 1
  • 17
  • 21

2 Answers2

1

Security considerations are mentioned in the RFC 7009 https://www.rfc-editor.org/rfc/rfc7009#section-5

You can have also an attack on TLS (HTTPS) if it's not configured/managed properly (insecure TLS versions, ciphers, man in the middle, expired cert, problems with Certification authority, ...).

You may have a problem with resource exhaustion on your server. Refresh token needs some resources - e.g. memory, DB record, ...

Community
  • 1
  • 1
Jan Garaj
  • 25,598
  • 3
  • 38
  • 59
  • 1
    The linked spec is about adding a revocation endpoint to a server for clients to revoke their own tokens. OP is asking about the automatic revocation that occurs as part of refresh token rotation [RFC6749](https://datatracker.ietf.org/doc/html/rfc6749#section-10.4). – Kyle McClellan Oct 11 '22 at 18:04
0

The description of the security benefit of token rotation in OAuth 2.0 Security Best Current Practice:

If a refresh token is compromised and subsequently used by both the attacker and the legitimate client, one of them will present an invalidated refresh token, which will inform the authorization server of the breach. The authorization server cannot determine which party submitted the invalid refresh token, but it will revoke the active refresh token. This stops the attack at the cost of forcing the legitimate client to obtain a fresh authorization grant.

Sounds to me like the intention of recycling is to guarantee the new tokens have exactly one recipient. A grace period, however short, would remove that guarantee. That said, token rotation with a grace period is better than no rotation as it would make it more difficult for an attacker to abuse a leaked refresh token without detection.

Since you are using TLS, another option could be to constrain the grace period to apply only to the current connection...

Kyle McClellan
  • 664
  • 7
  • 23