A
A
Alexander Pankov2021-06-16 15:07:57
API
Alexander Pankov, 2021-06-16 15:07:57

How to renew authorization tokens for multiple devices?

Hello, tell me about the authorization logic for access\refresh tokens for several devices of one user? I can’t figure out how to invalidate stolen tokens and not harm the real client?
I have a train of thought and he

googled such an answer, but did not understand it. What is the correct refresh_token refresh strategy for multiple devices?

- access_token (user_id + fingerptint) - we do not store it in the database, in the load the client ID and its device - refresh_token
- we store it together with user_id, fingerprint

,
exp_at
user id, some device key (fingerprint) and the refresh token itself with the validity date

2) the attacker stole our tokens and sends a request to refresh the token (does it send both tokens at once?)
From the access_token we get (user_id + fingerprint), although it is expired,
we look at the refresh token in the database,
we are looking for the string user_id + fingerprint + refresh_token
there is such a line ( the login of our real client put it there)

3) for the attacker we generate a new access token and a new refresh token we update the entry
user_id + fingerprint + refresh_token in the database
the attacker uses all this perfectly for an unlimited time

4) our user uses his access token in the same way, but he runs out of it and he sends a refresh request

5) we are looking for his refresh token
user_id + fingerprint + refresh_token in the database
and we don’t find it, since it was updated by our attacker with his own fingerprint, using previously stolen tokens

6) respectively, we throw the client for authorization, he logs in and receives his 2 tokens, and the attacker continues to use tokens. The application thinks that our client is simply authorized from 2 devices at once and everything is normal

As a result, we have access to everyone and from the point of view of the application everything is fine, I understand that it is possible to make the "Your sessions" tab in the client's personal account and display everything except the current one in order to he could remove and close access from the attacker himself, if he stole all his tokens once, he will steal the second time

Something I don’t understand, please tell me where is the mistake?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
R
Rsa97, 2021-06-16
@PankovAlxndr

When used, the refresh token is marked in the database as used. When trying to reuse the same token, all user refresh tokens are deleted and a login/password is requested.
Refresh-token is removed from the database after the expiration of its life.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question