Search code examples
apisecurityauthenticationremember-meauth-token

How to securely keep my users signed in with refresh tokens?

From https://stackoverflow.com/a/7209263/1225328:

The idea of refresh tokens is that if an access token is compromised, because it is short-lived, the attacker has a limited window in which to abuse it.

I get it, but if the attacker accesses the refresh token, they will be able to get a fresh auth token, am I wrong? This seems to just postpone the long-lived tokens security flaw...

Concerning this point, you'll find in the same answer:

Refresh tokens, if compromised, are useless because the attacker requires the client id and secret in addition to the refresh token in order to gain an access token.

Then what's the difference between using a refresh token and simply resigning in? And how do you store the client id and secret if you don't want users to have to reenter them again?

As @FStephenQ pointed out, a refresh token can be used only once: an attacker will then be able to get a new auth token, but only once, and a short-lived one. But then, how do you obtain a new refresh token once you already used one? If you get a new one when you use one, an attacker will then be able to refresh their token too...

The actual question is: how to keep my users signed in? On the apps I use, once I signed in, I never have to sign in again: how do they proceed?

Solution

  • A refresh token can only be used to refresh once, and it is only sent to the authentication server when the client's access token has expired. When a refresh token is used, the authentication server returns a new authentication token, and optionally a new refresh token. The idea is to allow using short-lived access tokens, while allowing a valid client to re-authenticate without forcing the user to login again.

    If a refresh token is stolen, then it can be used once to get a valid access token by the attacker. When the client tries to refresh their token, their refresh token will be stale, and so will be rejected. They will then ask the user to login again, and the authentication server will give them a new access token and refresh token, and the stolen token will be invalidated.