How to prevent token substitution attack?

Question

Suppose we have two users doing following operation -

1. User1 requested to the auth server for access token and granted also.
2. Now user1 save the token into localstorage/cookie for future api access.
3. Now User2 approach User1 browswer and get the access_token some how.
4. Now User2 call the api using user1's access_token and get the access too without login.

Now Can we validate the token anyhow?

Answer 1

You can't avoid that happening. However, the token should have an expiration time, so the attacker will only have access during that time. Also, if you know that a token has been stolen, you can revoke it so it's no longer valid.

You could apply more security measures such as associating the token with a specific IP address, or some advanced services that even use machine learning to detect unusual behaviours.