Refresh Tokens as-implemented are susceptible to Refresh Token Reuse Attacks

[ThisIsMissEm]

Currently there is no chain-of-trust relationship between access tokens and refresh tokens, this means that if an attacker gains access to a refresh token, then they may still be able to attempt to use it, without all access tokens stemming from that stolen refresh token being revoked.

Auth0 has an extremely good write up on this which explains the attack vector.

The solution here is to create a "token family", where refresh tokens are a separate record to access tokens, and they are linked together in a multiple directional way; e.g., you can start at one access token and revoke all subsequent access tokens stemming from that access token.

Having a separate refresh token model would also allow for expiration of refresh tokens independent of access tokens (which I don't believe is currently possible)

[ransombriggs]

I hacked "chain-of-trust" into our implementation and was wondering what level of interest there is in this from the maintainers of doorkeeper. If there is interest I can share the data model changes and if those look good, I can put together some pull requests.

[ThisIsMissEm]

I would be very interested in this for Mastodon