We have a client application is interacting with application with oauth authentication. We dont want to authenticate the user every time when the refresh token expires .So , we thought that we can keep refresh token expiration time until 1 year. What is the security risk if we have this type of set up with longer refresh tokens
Asked
Active
Viewed 384 times
0
-
This is an antipattern according to an offset of Google docs: https://cloud.google.com/apigee/docs/api-platform/antipatterns/oauth-long-expiration why not just refresh? It should be simple enough, if you get an error that the token is expired, make the call to refresh it – ViaTech Jun 10 '22 at 20:52
-
If refresh token expires, authorization server will not grant new access token. Client has login again to get new access token. – Ram Sure Jun 10 '22 at 21:00
1 Answers
0
What is the security risk if we have this type of set up with longer refresh tokens
Refresh tokens are bearer tokens so whosoever holding it could use it to obtain a new access token from the authorization server until it expires. Therefore, a refresh token that has a very long lifespan could theoretically give infinite power to the token bearer to get a new access token. The newly obtained access token then could be used to access the protected resources anytime. The bearer of the refresh token could be a legitimate user or a malicious user. Like access tokens, it is advisable to use a short lifespan for refresh tokens. The validation time for refresh token could be increased upto a certain extent in highly trusted systems & communications.
b.s
- 2,409
- 2
- 16
- 26