diff --git a/AUTHORS b/AUTHORS index 357abc2fa..90de74fa0 100644 --- a/AUTHORS +++ b/AUTHORS @@ -104,6 +104,7 @@ Shaheed Haque Shaun Stanworth Silvano Cerza Sora Yanai +Sören Wegener Spencer Carroll Stéphane Raimbault Tom Evans diff --git a/CHANGELOG.md b/CHANGELOG.md index 362fd74b3..a09dedb3b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [unreleased] ### Added +* #1404 Add a new setting `REFRESH_TOKEN_REUSE_PROTECTION` ### Changed ### Deprecated ### Removed diff --git a/docs/settings.rst b/docs/settings.rst index 901fe8575..4ebe6cc47 100644 --- a/docs/settings.rst +++ b/docs/settings.rst @@ -185,6 +185,18 @@ The import string of the class (model) representing your refresh tokens. Overwri this value if you wrote your own implementation (subclass of ``oauth2_provider.models.RefreshToken``). +REFRESH_TOKEN_REUSE_PROTECTION +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +When this is set to ``True`` (default ``False``), and ``ROTATE_REFRESH_TOKEN`` is used, the server will check +if a previously, already revoked refresh token is used a second time. If it detects a reuse, it will automatically +revoke all related refresh tokens. +A reused refresh token indicates a breach. Since the server can't determine which request came from the legitimate +user and which from an attacker, it will end the session for both. The user is required to perform a new login. + +Can be used in combination with ``REFRESH_TOKEN_GRACE_PERIOD_SECONDS`` + +More details at https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-29#name-recommendations + ROTATE_REFRESH_TOKEN ~~~~~~~~~~~~~~~~~~~~ When is set to ``True`` (default) a new refresh token is issued to the client when the client refreshes an access token.