How to prevent refreshing a stolen access token

Question

The scenario is: you have refresh token that is valid for a longer period of time and an access token that is valid for a shorter period of time.

The setup: There is a client, application server and authentication server.

• The client stores the access token.
• The application server stores the refresh token.
• The authentication server hands out the refresh + access token.

One of the advantages is that a stolen access token can only be used for the time it is valid.

Say a hacker steals the access token that is valid for 30 minutes. When the hacker makes a request with the valid but expired stolen access token after 30 minutes, the application server refreshes it with the refresh token, thus the hacker gaining a new valid and not expired access token.

How can this be prevented?

Answer 1

An application server should not have the refresh token.

In OAuth2.0 the client should store the refresh token.

To use the refresh token to mint a new access token, the client should present the refresh token (along with the client id and secret) to the authorisation server.