Is your feature request related to a problem? Please describe.
I am currently using Hydra as Authorization Server in my enterprise applications suite and I am facing with security and user experience concerns in Single Page Applications. Our applications use Auth Code Flow and we currently avoid using refresh tokens in such an insecure environment.
I understand that Hydra implements the Refresh Token Rotation best practice, but in case of a stolen refresh token there is no automatic way to recognise that a refresh token is being reused to invalidate the whole refresh token family associated with that consent session.
Describe the solution you'd like
I have seen that there are examples of implementations of a reuse detection feature, like what happens in Auth0. Are there chances that a similar solution is (or will be) implemented in Hydra too?
Thanks in advance for any feedback on this.
Hi @flavioleggio,
are you sure that the refresh tokens are not rotated/invalidated on refresh?
I recently tested and verified that if I exchange a refresh token with a new one the old one gets deleted from the database and can't be used anymore.
There is also this issue #1831 which discusses the need of a refresh token grace period on bad network connections to the database which is in that specific case a nice to have feature in my opinion.
Are you using a specific version where this issue appears?
Hi @IonFoXx,
I am sure that refresh tokens are rotated and invalidated each time. The feature I am requesting here is actually Reuse Detection.
This is the supposed scenario for Automatic Reuse Detection (which as far as I know is not yet implemented in version 1.2.1):
This solution is implemented in Auth0 Authorization Server, as described in the document referred in my post.
Hi,
sorry, than I misunderstood your question and I should have spent more time reading the linked post. I understood that post in a way it already exists within hydra.
That feature in combination with #1831, which I think is also part of what Auth0 does (Refresh Token Reuse Interval), would be a really nice addition and increase the security of the whole project.
Thank you for this idea. Given these issues I think we generally need to have three strategies:
This is a bit of work, so I'm tagging this as "NEXT". However, I'd be more than happy to help with pointers and reviews if you want to tackle this!
I actually thought this was an implemented feature. Do you know if this is scheduled in a release yet? It's a critical feature IMO, when performing client-side PKCE flows.
No, it is currently not in our capacity to implement this as kt requires quite some refactoring - sorry!
Thanks for the update. Hopefully it will be on the roadmap somewhere
Most helpful comment
Hi,
sorry, than I misunderstood your question and I should have spent more time reading the linked post. I understood that post in a way it already exists within hydra.
That feature in combination with #1831, which I think is also part of what Auth0 does (Refresh Token Reuse Interval), would be a really nice addition and increase the security of the whole project.