How to prevent refreshing a stolen access token

Çağlar Arlı - 14 Views

How to prevent refreshing a stolen access token

The scenario is: you have refresh token that is valid for a longer period of time and an access token that is valid for a shorter period of time.

The setup: There is a client, application server and authentication server.

The client stores the access token.
The application server stores the refresh token.
The authentication server hands out the refresh + access token.

One of the advantages is that a stolen access token can only be used for the time it is valid.

Say a hacker steals the access token that is valid for 30 minutes. When the hacker makes a request with the valid but expired stolen access token after 30 minutes, the application server refreshes it with the refresh token, thus the hacker gaining a new valid and not expired access token.

How can this be prevented?

P	S	Ç	P	C	C	P
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

Annanowa

How to prevent refreshing a stolen access token

How to prevent refreshing a stolen access token

Son Yazılar

Son Yorumlar