You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently there is no chain-of-trust relationship between access tokens and refresh tokens, this means that if an attacker gains access to a refresh token, then they may still be able to attempt to use it, without all access tokens stemming from that stolen refresh token being revoked.
Auth0 has an extremely good write up on this which explains the attack vector.
The solution here is to create a "token family", where refresh tokens are a separate record to access tokens, and they are linked together in a multiple directional way; e.g., you can start at one access token and revoke all subsequent access tokens stemming from that access token.
Having a separate refresh token model would also allow for expiration of refresh tokens independent of access tokens (which I don't believe is currently possible)
The text was updated successfully, but these errors were encountered:
Currently there is no chain-of-trust relationship between access tokens and refresh tokens, this means that if an attacker gains access to a refresh token, then they may still be able to attempt to use it, without all access tokens stemming from that stolen refresh token being revoked.
Auth0 has an extremely good write up on this which explains the attack vector.
The solution here is to create a "token family", where refresh tokens are a separate record to access tokens, and they are linked together in a multiple directional way; e.g., you can start at one access token and revoke all subsequent access tokens stemming from that access token.
Having a separate refresh token model would also allow for expiration of refresh tokens independent of access tokens (which I don't believe is currently possible)
The text was updated successfully, but these errors were encountered: