11May
How to prevent refreshing a stolen access token
The scenario is: you have refresh token that is valid for a longer period of time and an access token that is valid for a shorter period of time.
The setup: There is a client, application server and authentication server.
- The client stores the access token.
- The application server stores the refresh token.
- The authentication server hands out the refresh + access token.
One of the advantages is that a stolen access token can only be used for the time it is valid.
Say a hacker steals the access token that is valid for 30 minutes. When the hacker makes a request with the valid but expired stolen access token after 30 minutes, the application server refreshes it with the refresh token, thus the hacker gaining a new valid and not expired access token.
How can this be prevented?