If a legitimate user never attempts a request after a malicious user steals a refresh token

I’m watching the following page and I have a question about the section Automatic reuse detection

In use-case 2, if a legitimate user never attempts to send a request after a malicious user steals the refresh token, what’s going on?
Is it possible for the malicious user to keep using a new token that he gets from the stolen refresh token?

Hello @str.kikuchi,

Welcome to the Community! I believe the answer to your question is “yes”. If the authorization server (Auth0) does not see a refresh token “replay”, then it has no way to know the bearer of the token is a bad actor. This assumes the bad actor has ongoing access to the new refresh and access tokens.

That said, a new feature has been introduced allowing you to set a maximum lifetime for a refresh token or a “family of refresh tokens”, which I believe means the bad actor could get new refresh tokens only for the maximum lifetime set.


Thanks @markd for helping on this front!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.