Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should an oAuth server give the same accessToken to a same client request?

I am developing an oAuth2 server and I've stumbled upon this question.

Lets suppose a scenario where my tokens are set to expire within one hour. On this timeframe, some client goes through the implicit auth fifty times using the same client_id and same redirect_uri. Basically same everything.

Should I give it the same accessToken generated on the first request on the subsequent ones until it expires or should I issue a new accessToken on every request?

The benefits of sending the same token is that I won't leave stale and unused tokens of a client on the server, minimizing the window for an attacker trying to guess a valid token.

I know that I should rate-limit things and I am doing it, but in the case of a large botnet attack from thousands of different machines, some limits won't take effect immediately.

However, I am not sure about the downsides of this solution and that's why I came here. Is it a valid solution?

like image 987
Vinicius Tavares Avatar asked Feb 22 '17 19:02

Vinicius Tavares


People also ask

Is it possible to reuse the authentication token for multiple requests?

Yes, it is possible to reuse the authentication token for multiple requests. We can achieve it by creating a collection and adding all the requests having the same authentication token to that collection and then assigning the auth token to the same collection.

How do I reuse OAuth access token?

Answer to the question "Should I reuse OAuth 2.0 access tokens?" Yes, the token is supposed to be used as many times as you need within the given expiry time (google sets it to 1 hour). After it has expired, use the refresh token to get another access token and use it as many times as you need.

Can you have multiple access tokens?

Access tokens are generated for an application, not a user, but yes, there can be multiple access tokens authorized by a single user - the user authorizes the application to perform some operations (scopes) on his behalf.

When should I request a new access token?

You should only ask for a new token if the access token has expired or you want to refresh the claims contained in the ID token. For example, it's bad practice to call the endpoint to get a new access token every time you call an API.

How to obtain an OAuth2 access token?

OAuth 2.0 - Obtaining an Access Token 1 First, it is necessary to acquire OAuth 2.0 client credentials from API console. 2 Then, the access token is requested from the authorization server by the client. 3 It gets an access token from the response and sends the token to the API that you wish to access. More ...

Can the access token be used over HTTPS connection?

The application should ensure the storage of the access token is not accessible to other applications on the same device. The access token can only be used over an https connection, since passing it over a non-encrypted channel would make it trivial for third parties to intercept.

What is a clients OAuth request?

Clients will direct a user’s browser to the authorization server to begin the OAuth process. Clients may use either the authorization code grant type or the implicit grant. Along with the type of grant specified by the response_type parameter, the request will have a number of other parameters to indicate the specifics of the request.

How to use OAuth to connect to an API from console?

First, it is necessary to acquire OAuth 2.0 client credentials from API console. Then, the access token is requested from the authorization server by the client. It gets an access token from the response and sends the token to the API that you wish to access. You must send the user to the authorization endpoint at the beginning.


3 Answers

I would rather say - no.

Reasons:

  1. You should NEVER store access tokens in plain text on the Authorization Server side. Access tokens are credentials and should be stored hashed. Salting might not be necessary since they are generated strings anyway. See OAuth RFC point 10.3.
  2. Depending how you handle subsequent requests - an attacker who knows that a certain resource owner is using your service and repeat requests for the used client id. That way an attacker will be able to impersonate the resource owner. If you really return the same token then at least ensure that you authenticate the resource owner every time.
  3. What about the "state" parameter? Will you consider requests to be the "same" if the state parameter is different? If no then a botnet attack will simply use a different state every time and force you to issue new tokens.

As an addition - generally defending against a botnet attack via application logic is very hard. The server exposing your AS to the internet should take care for that. On application layer you should take care that it does not go down from small-bandwidth attacks.

like image 56
vap78 Avatar answered Oct 10 '22 19:10

vap78


You can return the same access_token if it is still valid, there's no issue with that. The only downside may be in the fact that you use the Implicit flow and thus repeatedly send the - same, valid - access token in a URL fragment which is considered less secure than using e.g. the Authorization Code flow.

like image 3
Hans Z. Avatar answered Oct 10 '22 18:10

Hans Z.


As a thumb rule never reuse keys, this will bring additional security in the designed system in case of key capture

like image 2
SACn Avatar answered Oct 10 '22 20:10

SACn