search

jazzband / django-oauth-toolkit

OAuth2 goodies for the Djangonauts!
https://django-oauth-toolkit.readthedocs.io
Other
3.06k stars 777 forks source link

Refresh token reuse detection #1404

Open soerface opened 4 months ago

soerface commented 4 months ago

Is your feature request related to a problem? Please describe. I want to increase security by detecting reuse of old refresh tokens. Scenario:

Describe the solution you'd like In case an old refresh token is used (taking REFRESH_TOKEN_GRACE_PERIOD_SECONDS into consideration), not only should it be rejected, but also the whole token family should be invalidated.

The implementation should be according to the RFC: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-25#section-4.14.2-5.2.2

Refresh token rotation: the authorization server issues a new refresh token with every access token refresh response. The previous refresh token is invalidated but information about the relationship is retained by the authorization server. If a refresh token is compromised and subsequently used by both the attacker and the legitimate client, one of them will present an invalidated refresh token, which will inform the authorization server of the breach. The authorization server cannot determine which party submitted the invalid refresh token, but it will revoke the active refresh token. This stops the attack at the cost of forcing the legitimate client to obtain a fresh authorization grant.

Implementation note: The grant to which a refresh token belongs may be encoded into the refresh token itself. This can enable an authorization server to efficiently determine the grant to which a refresh token belongs, and by extension, all refresh tokens that need to be revoked. Authorization servers MUST ensure the integrity of the refresh token value in this case, for example, using signatures.

Additional context

n2ygk commented 1 month ago

This sounds great and a PR would be greatly appreciated.