How secure are expiring tokens and refresh tokens?

It could be that the access token might end up being used around the application over plain HTTP connections. So if an attacker sniffed it, they would only have short term access. This is what used to happen on the web as standard. Login was over HTTPS if you were lucky, and the rest of your session was over plain HTTP, transmitting the session ID in cleartext.

The refresh token is only transmitted to the authorization server, so it is easier to enforce HTTPS only, meaning that an attacker could not eavesdrop on this connection.

See here for more information:

There is a security reason, the refresh_token is only ever exchanged with authorization server whereas the access_token is exchanged with resource servers. This mitigates the risk of a long-lived access_token leaking (query param in a log file on an insecure resource server, beta or poorly coded resource server app, JS SDK client on a non https site that puts the access_token in a cookie, etc) in the "an access token good for an hour, with a refresh token good for a year or good-till-revoked" vs "an access token good-till-revoked without a refresh token."


Let's consider there is a server that validates and issues tokens to a client.

Client (sends username & password) -> Server

Server (validates the credentials and returns access and refresh tokens) -> Client

The client stores the tokens securely and uses the access token for the further API calls made to the server (until the access token expires). Once the access token expires, the client may receive a 401(unauthorized) HTTP code from the server and realizes the access token is no longer valid.

The client then uses its refresh token and gets the new access and refresh tokens from the server.

Effects of a compromised access token - The attacker will be able to access the data until the access token expires.

Effects of a compromised refresh token - The attacker may be able to obtain a new access and refresh token which may also invalidate the victim's access. When the victim tries to get a new access token with their refresh token it will fail because their refresh token has already been used. The victim would have to log in again using their credentials which would reissue the tokens and invalidate the attacker's stolen tokens.


I answered a similar question that ended up being marked as a duplicate to this one. However, I feel that my answer to that question provides a stronger argument for how refresh tokens provide additional security. In short, if the refresh token is compromised, it is much easier to detect it and take appropriate action, such as disabling the auth tokens and refresh tokens, and forcing the user to login again with their credentials. In other words, compromised credentials can be shutdown much faster when refresh tokens are in use.

Tags:

Oauth