| ▲ | mooreds 10 hours ago | |||||||
This was probably partly a Google refresh token theft (given the length of the access). No inside info, just looking at how the attack occurred. OAuth 2.1[0] (an RFC that has been around longer than I've been at my employer) recommends some protections around refresh tokens, either making them sender constrained (tied to the client application by public/private key cryptography) or one-time use with revocation if it is used multiple times. This is recommended for public clients, but I think makes sense for all clients. The first option is more difficult to implement, but is similar to the IP address solution you suggest. More robust though. The second option would have made this attack more difficult because the refresh token held by the legit client, context.ai, would have stopped working, presumably triggering someone to look into why and wonder if the tokens had been stolen. 0: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1 | ||||||||
| ▲ | hvb2 9 hours ago | parent [-] | |||||||
One time use of refresh tokens is really common? Where each refresh will get you a new access token AND a new refresh token? That's standard in oidc I believe | ||||||||
| ||||||||