I’m watching the following page and I have a question about the section Automatic reuse detection
In use-case 2, if a legitimate user never attempts to send a request after a malicious user steals the refresh token, what’s going on?
Is it possible for the malicious user to keep using a new token that he gets from the stolen refresh token?
Welcome to the Community! I believe the answer to your question is “yes”. If the authorization server (Auth0) does not see a refresh token “replay”, then it has no way to know the bearer of the token is a bad actor. This assumes the bad actor has ongoing access to the new refresh and access tokens.
That said, a new feature has been introduced allowing you to set a maximum lifetime for a refresh token or a “family of refresh tokens”, which I believe means the bad actor could get new refresh tokens only for the maximum lifetime set.