Refresh Token Revocation on Token Reuse

Problem

When using refresh tokens in a public client (mobile, spa) client authentication cannot be used to protect the /token endpoint. This means that the token can be "stolen" and used by a malicious actor. When this occurs, the application can be compromised by that attacker.

PKCE protects the /authorize endpoint, but that can't be used to exchange the refresh token. Since we are a public client, the refresh token is essentially a bearer token with no additional security.

This means that if a malicious actor gains access to the refresh token, they have an entry point to gaining access to the system with no additional layers of protection.

The suggested mitigation strategy is to use "one time" refresh tokens with short durations and to detect the attempt to use an already used token. When this is detected, all refresh tokens for that "chain" of refresh tokens should be revoked since the assumption is that the refresh token is compromised. This would close this particular attack. This combines the "refresh token rotation" suggestion with a detection of re-use of the token.

Today, Fusion Auth supports the rotation portion but not the revocation portion.

This allows the following attack:

1. Attacker/Malicious code gains access to refresh token 1
2. Attacker immediately uses refresh token 1 to gain new access token, refresh token 2
3. Real code attempts to get a new access token with refresh token 1 and is refused due to one-time refresh token
4. Attacker continues to use refresh token 2 and new refresh tokens to access application

Solution

When a one time token that was previously used to refresh the access token is used again, the entire chain of refresh tokens that have been minted from that re-used token must be invalidated so that the attacker cannot refresh their access token again.

Alternatives/workarounds

In the post in the forum, a discussion was raised about using web hooks to do this. Unfortunately, this won't work since the detection of the invalid JWT doesn't raise a web hook call. We'd need a "refresh token rejected" call to do this properly. Otherwise, we'd have to keep refresh tokens as re-usable and that opens other security issues.

Additional context

Original Post in Forum
Specification about Refresh Token Abuse Detection when Client Secret is not used
Detail of Attack/Mitigation (Auth0)
Detail of Attack/Mitigation (Ping Identity)
Detail of Attack/Mitigation (Log Rocket)
Add any other context or screenshots about the feature request here.

Related

• The one-time refresh token can be used twice #1840

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.