Refresh Token Reuse Protection#1452
Uh oh!
There was an error while loading. Please reload this page.
Conversation
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
soerfaceforce-pushed the 1404-refresh-token-reuse-protection branch from 2774980 to eb8501eCompareUh oh!
There was an error while loading. Please reload this page.
soerfaceforce-pushed the 1404-refresh-token-reuse-protection branch from eb8501e to fe093a0Compare
n2ygk left a comment
n2ygk left a comment There was a problem hiding this comment.
@soerface This is a really nice security improvement by following the newer BCPs. I agree that the default for now has to be False to avoid immediate breakage for existing users. We can perhaps raise a DeprecationWarning and eventually make the default be True for a future major release.
I have some questions about the migrations and whether they need migrations.swappable_dependency added to them. I'm stumped by this swappable stuff and you can see there are a number of issues raised over the years by people trying to use the functionality....
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
According to https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-29#name-recommendations, the authorization server needs a way to determine which refresh tokens belong to the same session, so it is able to figure out which tokens to revoke. Therefore, this commit introduces a "token_family" field to the RefreshToken table. Whenever a revoked refresh token is reused, the auth server uses the token family to revoke all related tokens.
n2ygkforce-pushed the 1404-refresh-token-reuse-protection branch from a357ff0 to 302da0dCompare
* Implement REFRESH_TOKEN_REUSE_PROTECTION (django-oauth#1404) According to https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-29#name-recommendations, the authorization server needs a way to determine which refresh tokens belong to the same session, so it is able to figure out which tokens to revoke. Therefore, this commit introduces a "token_family" field to the RefreshToken table. Whenever a revoked refresh token is reused, the auth server uses the token family to revoke all related tokens.
2 participants
Fixes#1404
Description of the Change
This PR adds a new setting / feature
REFRESH_TOKEN_REUSE_PROTECTION. It allows django-oauth-toolkit to revoke related refresh and access tokens whenever an already revoked refresh token is used again. This indicates a breach - for details see #1404.The implementation does it by adding a new column
token_familyto the refresh token table. When a new refresh token is created with an existing refresh token, the new refresh token get's assigned the sametoken_familyvalue as the original token. This ensures that all tokens from the same session share the same family. Otherwise (first token of a session, gathered by e.g. username & password), thetoken_familyis a random value.Whenever a revoked refresh token is presented, the server will query for all tokens with the same
token_familyvalue, and call the.revoke()method on it.To discuss: The "select all tokens of a family and revoke" code is always being run when a revoked token is presented. Maybe this could provide a vector for a denial of service attack. Therefore, I was wondering if we should set the
token_familyvalue to NULL after the whole family has been revoked. Another thought to ease database load was furthermore to useobjects.filter(...).delete(), however I was afraid that the logic inside the.revoke()method was relevant and shouldn't be skipped lightheartedly. Furthermore, do you think an index on that new column would be required?Checklist
CHANGELOG.mdupdated (only for user relevant changes)AUTHORS