Vulnerability Discussion

An API must refresh access tokens to maintain secure, uninterrupted access while minimizing the risk of token misuse or expiration. Access tokens typically have a limited lifespan and refreshing them allows users to maintain active sessions without needing to re-authenticate.

If the API is not relying on an API Gateway for token management, it becomes responsible for issuing and refreshing tokens directly, ensuring that users can continue to interact with the API seamlessly, while also enforcing up-to-date authentication. By implementing token refresh, the API can validate the user's ongoing permissions, reduce the risk of session hijacking, and prevent users from being locked out due to expired tokens, all while maintaining a stateless, scalable approach to security.

Check

Review the API or authorization server's refresh token endpoint logic. Confirm that it validates the refresh token, checks expiration, and enforces any associated conditions like device binding or client verification.

Simulate valid and invalid refresh scenarios. Use an active refresh token to obtain a new access token and confirm that the new token includes required claims, is properly signed, and has an appropriate expiration time.

Verify the refresh process enforces client authentication, restricts token reuse (e.g., one-time-use refresh tokens if required), and aligns with the cryptographic and authentication strength.

Examine the newly issued access tokens to verify they include correct fields like exp, iat, aud, and scope, and that their validity periods are consistent with the organization's guidelines.

Consult the API or identity provider documentation and configuration to verify refresh behavior is implemented in accordance with the defined organizational standards.

If any misconfigurations are identified, this is a finding.

Fix

Build or configure the API to refresh access tokens in accordance with organization-defined identification and authentication policy.