Notification of Refresh Token invalidation

Hi there,

We are wondering if there is any mechanism for notification of a Refresh Token vulnerability, i.e. when an attacker has used one, or a series, of refresh tokens that have been used previously? Without this, the only indication of such an attack would be that the legitimate user would be repeatedly signed out, which might take some time for appropriate action to eventuate.

Thanks,
Jon

Good morning @JonHarvey,

WIth rotating refresh tokens in place this should help prodvide the additional security you are looking for when using Refresh Tokens. When you get a chance please take a look at some of the supporting articles below and let me know if you have any additional questions!


Hi James,

Thanks for replying, but my question wasn’t so much around the degree of security that could be achieved with Refresh Token rather the question of how to be aware of the vulnerabilities give the decision to use a particular implementation. Unless I’m missing something, I can’t see anything in either of those articles that addresses my questions. We are actually now in the position where our integration with Auth0 using Refresh Tokens is live and we are seeing a signification number of “Invalid tokens” or “failed refresh token exchanges” for which it is difficult to determine the root cause. With many similarly named errors in the logs it is difficult to know which errors occur under which circumstances. Do you have any documentation that would help clarify this? As you can imagine, seeing a seemingly relatively large number of these errors is cause for concern, especially when it is difficult to determine why they are occurring. Any help with better understanding what we are seeing in the logs would be greatly appreciated.

Thanks,
Jon