# OAuth2 refresh token reuse detection failure allows token theft to go unnoticed - **ID:** `security/oauth2-refresh-token-reuse-detection-failure` - **Domain:** security - **Category:** auth_error - **Verification:** ai_generated - **Fix Rate:** 87% ## Root Cause The authorization server does not implement refresh token rotation or reuse detection, so if an attacker steals a refresh token and uses it, the legitimate user's token remains valid, allowing the attacker to continue obtaining new access tokens indefinitely. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | OAuth2 2.0 | active | — | — | | Spring Security 6.2.0 | active | — | — | | Keycloak 23.0.0 | active | — | — | | Auth0 Node.js SDK 2.45.0 | active | — | — | ## Workarounds 1. **Implement refresh token rotation: issue a new refresh token each time a refresh token is used, and invalidate the old one. In Spring Security, configure `refreshTokenRotationStrategy` to `ROTATE` in the authorization server configuration. Example: `@Bean public OAuth2AuthorizationServerConfigurer authorizationServerConfigurer() { return new OAuth2AuthorizationServerConfigurer() .refreshTokenRotationStrategy(RefreshTokenRotationStrategy.ROTATE); }`.** (92% success) ``` Implement refresh token rotation: issue a new refresh token each time a refresh token is used, and invalidate the old one. In Spring Security, configure `refreshTokenRotationStrategy` to `ROTATE` in the authorization server configuration. Example: `@Bean public OAuth2AuthorizationServerConfigurer authorizationServerConfigurer() { return new OAuth2AuthorizationServerConfigurer() .refreshTokenRotationStrategy(RefreshTokenRotationStrategy.ROTATE); }`. ``` 2. **Implement refresh token reuse detection: if a refresh token is used more than once, revoke all tokens for that client and user. In Keycloak, enable "Revoke Refresh Token" in the client settings under "Advanced Settings". This invalidates the token family upon reuse.** (88% success) ``` Implement refresh token reuse detection: if a refresh token is used more than once, revoke all tokens for that client and user. In Keycloak, enable "Revoke Refresh Token" in the client settings under "Advanced Settings". This invalidates the token family upon reuse. ``` 3. **Use a combination of rotation and reuse detection. Store the last used refresh token in a database and compare on each request. If the token has been used before, revoke all tokens and alert the user. Example pseudocode: `if (token in usedTokens) { revokeAllTokens(user); alert("Security breach detected"); } else { usedTokens.add(token); issueNewToken(); }`.** (90% success) ``` Use a combination of rotation and reuse detection. Store the last used refresh token in a database and compare on each request. If the token has been used before, revoke all tokens and alert the user. Example pseudocode: `if (token in usedTokens) { revokeAllTokens(user); alert("Security breach detected"); } else { usedTokens.add(token); issueNewToken(); }`. ``` ## Dead Ends - **Set a very short expiration time for refresh tokens (e.g., 5 minutes)** — Short expiration reduces the window of opportunity but does not prevent reuse. An attacker can still use the token within that window, and the legitimate user's session is interrupted. (50% fail) - **Use IP-based validation to detect unusual refresh token usage** — IP addresses can be spoofed or changed (e.g., via VPN), and legitimate users may have dynamic IPs, leading to false positives. This is not a reliable security measure. (60% fail) - **Block the user account after a single refresh token use** — This would break legitimate usage where users refresh tokens normally. It also does not distinguish between the legitimate user and the attacker. (80% fail)