search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
44.79k stars 5.47k forks source link

Invalidate all refresh tokens when refresh token replay attack detected #25847

Open hickford opened 1 year ago

hickford commented 1 year ago

Feature Description

When refresh token invalidation is enabled and refresh token replay attack is detected, Gitea should invalidate all refresh tokens for the client following OAuth security best practice https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-23#section-4.14.2

Refresh token rotation: the authorization server issues a new refresh token with every access token refresh response. The previous refresh token is invalidated but information about the relationship is retained by the authorization server. If a refresh token is compromised and subsequently used by both the attacker and the legitimate client, one of them will present an invalidated refresh token, which will inform the authorization server of the breach. The authorization server cannot determine which party submitted the invalid refresh token, but it will revoke the active refresh token. This stops the attack at the cost of forcing the legitimate client to obtain a fresh authorization grant.

Currently Gitea simply rejects the replayed refresh token and logs a message ;

A client tried to use a refresh token for grant_id = %d was used twice!

hickford commented 1 year ago

Relevant code https://github.com/go-gitea/gitea/blob/d1e066f5d6e1ba91f45118de835c3777eee0811f/routers/web/auth/oauth.go#L732-L739

emrebdr commented 2 months ago

@lunny In this case, wouldn't it make sense to delete all of the user's auth tokens?

lunny commented 2 months ago

What did you mean auth tokens? Refresh tokens?

I think the refresh token should be deleted, but I think the question is when. Maybe