Refresh token security threat

riteshOnHotSeat · August 19, 2021, 5:04pm

Risks of using refresh token in the browser.

Attacker captured an refresh token and using that refresh token the attacker send request that uses the refresh_token grant_type can and getting new access token and new refresh token in response, The attacker can keep replaying that request and to generate new access tokens and refresh tokens indefinitely.

we are using keycloak version 6.0.0.

xgp · August 19, 2021, 6:09pm

Is there a question? Are you trying to mitigate the risk you posted?

Try taking a look at “Implicit flow” Securing Applications and Services Guide

Cyben · August 21, 2021, 6:14am

To make a successful refresh request the attacker should also know the client id and client secret.

Topic		Replies	Views
Revoke Refresh Token Strategy blocks Access Token renewal Securing applications adapter-java , adapter-javascript	2	3254	March 26, 2024
Scope Narrowing Access Token with Refresh token Getting advice	4	1327	September 5, 2022
Revoke refresh tokens after password reset Securing applications authentication	12	7321	October 25, 2021
Understanding Access token expiration when using client_credentials grant type Getting advice	1	1907	August 19, 2022
Refresh Token Invalidation Securing applications	0	182	October 23, 2023

Refresh token security threat

Related Topics