By setting an expiration date on refresh tokens, the potential for abuse of a leaked token is reduced. Additionally, limiting their lifespan ensures tokens are regularly rotated, forcing users to reauthenticate periodically, which strengthens overall security and ensures access rights are up to date. This practice helps mitigate risks such as unauthorized access and session hijacking.
Check
Verify API refresh tokens are configured to expire according to organizational defined parameters.
If API refresh tokens are not configured to expire according to organizational defined parameters, this is a finding.
Fix
Build or configure API refresh tokens to expire according to organizational defined parameters.