The API must refresh assertions in accordance with organization-defined identification and authentication policy.

STIG ID: SRG-APP-000985-API-001675  |  SRG: SRG-APP-000985 |  Severity: medium |  CCI: CCI-005160,CCI-000366 |  Vulnerability Id: V-274843

Vulnerability Discussion

An API must refresh assertions to maintain secure, uninterrupted access while ensuring that authentication and authorization remain valid over time. Assertions, such as JWTs or SAML tokens, often have expiration times to reduce the risk of misuse if compromised. By implementing a mechanism to refresh these assertions—typically using refresh tokens or re-authentication flows—the API can issue new assertions without requiring the user to log in repeatedly. This not only enhances user experience by supporting seamless sessions but also strengthens security by periodically re-evaluating the user's credentials and access rights. Refreshing assertions ensures that access remains both valid and aligned with any changes in user roles, permissions, or session status.

Check

Check if the API refreshes assertions in accordance with the organization-defined identification and authentication policy.

Review the API's handling of assertion expiration and renewal.

Ensure the API follows the organization's defined policies for assertion lifetime, including the duration before assertions need to be refreshed or reissued.

Check if the API requires reauthentication or uses a secure refresh mechanism, such as refresh tokens or secure revalidation processes, to generate new assertions when they expire.

Verify the process for refreshing assertions maintains security standards, including proper encryption, secure token storage, and validation of the refreshed assertions before they are issued.

Review the API's implementation to confirm it adheres to the organization's authentication policy for refreshing, ensuring that refreshed assertions include up-to-date identity information and relevant claims, and that they are properly scoped.

Test the API by requesting new assertions after expiration and examining whether they are refreshed securely and according to policy, ensuring compliance with the organization's standards for identity management and authentication.

If the API does not refresh assertions in accordance with organization-defined identification and authentication policy, this is a finding.

Fix

Build or configure the API to refresh assertions in accordance with organization-defined identification and authentication policy.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.