Friday, March 3, 2017

Should an oAuth server give the same accessToken to a same client request?

Leave a Comment

I am developing an oAuth2 server and I've stumbled upon this question.

Lets suppose a scenario where my tokens are set to expire within one hour. On this timeframe, some client goes through the implicit auth fifty times using the same client_id and same redirect_uri. Basically same everything.

Should I give it the same accessToken generated on the first request on the subsequent ones until it expires or should I issue a new accessToken on every request?

The benefits of sending the same token is that I won't leave stale and unused tokens of a client on the server, minimizing the window for an attacker trying to guess a valid token.

I know that I should rate-limit things and I am doing it, but in the case of a large botnet attack from thousands of different machines, some limits won't take effect immediately.

However, I am not sure about the downsides of this solution and that's why I came here. Is it a valid solution?

4 Answers

Answers 1

I would rather say - no.

Reasons:

  1. You should NEVER store access tokens in plain text on the Authorization Server side. Access tokens are credentials and should be stored hashed. Salting might not be necessary since they are generated strings anyway. See OAuth RFC point 10.3.
  2. Depending how you handle subsequent requests - an attacker who knows that a certain resource owner is using your service and repeat requests for the used client id. That way an attacker will be able to impersonate the resource owner. If you really return the same token then at least ensure that you authenticate the resource owner every time.
  3. What about the "state" parameter? Will you consider requests to be the "same" if the state parameter is different? If no then a botnet attack will simply use a different state every time and force you to issue new tokens.

As an addition - generally defending against a botnet attack via application logic is very hard. The server exposing your AS to the internet should take care for that. On application layer you should take care that it does not go down from small-bandwidth attacks.

Answers 2

You can return the same access_token if it is still valid, there's no issue with that. The only downside may be in the fact that you use the Implicit flow and thus repeatedly send the - same, valid - access token in a URL fragment which is considered less secure than using e.g. the Authorization Code flow.

Answers 3

As a thumb rule never reuse keys, this will bring additional security in the designed system in case of key capture

Answers 4

You can send different access token when requested after proper authentication and also send refresh token along your access token.

Once your access token expires, you should inform user about that and user should re-request for new access token providing one-time-use refresh token previously provided to them skipping need for re-authentication, and you should provide new access token and refresh token.

To resist attack with fake refresh token, you should blacklist them along with their originating IP after few warnings.

PS: Never use predictable tokens. Atleast make it extremely difficult to brute force attacks by using totally random, long alpha-numeric strings. I would suggest bin2hex(openssl_random_pseudo_bytes(512)), if you are using php.

If You Enjoyed This, Take 5 Seconds To Share It

0 comments:

Post a Comment