Blog »

Connect2id server 14.2 introduces reuse grace period for rotated refresh tokens

2023-07-17

The current OAuth 2.0 best practices mandate refresh tokens issued to public clients to be either sender-constrained (with mTLS or DPoP) or rotated, to prevent replay if the refresh token suffers a leak and gets in the hands of a malicious actor.

One recognised drawback of rotation is potential false positives for legitimate public clients with a slow or poor network connection, which may lead to situations when the OAuth 2.0 server has successfully processed the token request and output the response with new newly minted access and refresh tokens, but the client being unable to retrieve them due to an HTTP timeout or an interrupted connection. The client will then typically retry the request with the previous refresh token, but because the server has flagged that token as already rotated the client will get an invalid_grant error.

To mitigate such networking issues the Connect2id server introduces a short grace period during which the client may retry the token request with the same refresh token. This grace period is 5 seconds. To change it we added a new configuration property:

authzStore.refreshToken.rotatedReuseGracePeriod=5

To monitor the frequency of rotated refresh token reuses - those that were allowed to proceed within the grace period and those that were rejected, two new meters were added:

  • authzStore.rotatedRefreshTokenAllowedReuses -- Meters allowed reuses of rotated refresh tokens within the configured grace period.

  • authzStore.rotatedRefreshTokenReplayRevocations -- Meters authorisation revocations due to rotated refresh token replay.

The Connect2id server log records the individual rotated refresh token replays and what particular action was taken. Together this information may be used to fine-tune the grace period.

Example rotated refresh token reuse within the grace period (grep for AS0285):

INFO TOKEN - [OP6204] Confidential client authenticated: client_id=etxmlfglafhn2 method=client_secret_basic client_auth_id=dUEgk8M0Bue_5AJR
INFO AUTHZ-STORE - [AS0285] Expended refresh token check: Allowed reuse within 1s: last_token_iat=1689583263 checked_token_iat=1689583257
INFO AUTHZ-STORE - [AS0280] Issued access token: sub=alice act= client_id=etxmlfglafhn2 scope=[read, write]

Example rotated refresh token reuse that was denied and triggered the customary revocation of the client's tokens for the subject (grep for AS0278):

INFO TOKEN - [OP6204] Confidential client authenticated: client_id=hxds4i5olwtqc method=client_secret_basic client_auth_id=PNRC_b0DADRbx0Xx
INFO AUTHZ-STORE - [AS0278] Revoked authorizations due to replay of rotated self-contained refresh token: sub=alice act=null client_id=hxds4i5olwtqc
INFO AUTHZ-STORE - [AS0270] Invalid or expired refresh token: client_id=hxds4i5olwtqc
INFO TOKEN - [OP6201] Token error response: invalid_grant: Invalid grant

This release also fixes two store related bugs that appeared in major 14.0 release last month. You can find more information in the release notes below.

Download 14.2

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.2: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 82eb1e8590911a982928825e6b9e77027fb35f04378ab9e19a37fe8a9b6e5b9f

Connect2id server 14.2 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 8a1b8e712afb4fad319ae784c51dfe0d496fcf84ad5b6cddf8ef15f106610624

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.2: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 37764086c22ac4b2b35e539e647028010b919877892a81f794027daccd469109

Connect2id server 14.2 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 9e8bad8ad454a7b2755fcd61fe2c07b32cf4006f16c6ba82e396fbbd734f3e6f

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.2 (2023-07-17)

Configuration

  • /WEB-INF/authzStore.properties

    • authzStore.refreshToken.rotatedReuseGracePeriod -- New optional configuration property specifying a grace period in seconds during which a client may repeat a request with the same rotated refresh token without triggering the customary token revocation. Intended to enable token request retrial on slow / poor networks where the HTTP response times out after issue of the new token. Currently supported only for refresh tokens linked to short-lived (transient) authorisations. The default value is 5 seconds.

Web API

  • /token

    • A client may repeat a token request with a rotated refresh token within the configured "authzStore.refreshToken.rotatedReuseGracePeriod" period without triggering the customary token revocation when the Connect2id detects a replay of a rotated refresh token. Intended to enable token request retrial on slow / poor networks where the HTTP response times out after issue of the new token. Currently supported only for refresh tokens linked to short-lived (transient) authorisations.

  • /monitor/v1/metrics

    • "authzStore.rotatedRefreshTokenReplayRevocations" -- New meter of authorisation revocations due to rotated refresh token replay.

    • "authzStore.rotatedRefreshTokenAllowedReuses" -- New meter of the allowed reuses of rotated refresh tokens within the configured grace period.

Resolved issues

  • Fixes Redis HMGET retrieval of the "last used" (u) field in the Infinispan Redis connector that caused subject session max_idle > 0 to not be observed in Connect2id server deployments with a Redis store (issue server/899).

  • Writes to Oracle database CLOB / NCLOB fields with long strings that trigger the string concatenation work-around must escape quote chars (issue sql-store/20).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:24.5.1

  • Updates Infinispan to 14.0.11.Final

  • Updates to com.nimbusds:infinispan-cachestore-sql:7.0.4

  • Updates to com.nimbusds:infinispan-cachestore-redis:10.0.2

  • Updates to BouncyCastle 1.74

  • Updates to com.google.crypto.tink:tink:1.9.0