An API must time-restrict access tokens to enhance security by limiting the window of opportunity for unauthorized access. Access tokens typically have an expiration time to reduce the risks associated with token theft or misuse.
Without an API gateway to handle token expiration, the API itself must enforce token validity by ensuring tokens are only accepted for a limited period. This will mitigate the impact of a compromised token by preventing it from being used indefinitely. Time-restricting tokens also ensures that the API regularly re-validates user sessions, aligns with best security practices, and forces users to re-authenticate after a certain period, thereby reducing the chance of long-term unauthorized access.
Check
Examine the organization's identification and authentication policy required lifespan of access tokens. This includes default expiration times, any conditions for shorter or longer durations, and rules for different user roles or access levels.
Review the code or configuration responsible for generating access tokens to ensure it sets the exp (expiration) and iat (issued at) claims according to policy. Confirm that tokens are not issued with excessively long lifetimes unless explicitly allowed.
Authenticate and obtain access tokens under various scenarios (e.g., user login, system-to-system access). Decode the tokens (e.g., if JWT) and check the exp and iat fields to verify the validity period aligns with the organization's defined rules.
Wait until a token expires and attempt to use it with the API. Confirm the API correctly rejects expired tokens with appropriate error responses (e.g., HTTP 401 Unauthorized or 403 Forbidden).
Determine whether the API adjusts token lifespans based on risk factors, user roles, or sensitivity of requested resources. This must also comply with the organizational policy.
Ensure the API validates the exp claim on each request and denies access to expired tokens.
Look into API or identity provider configuration files to confirm that token timeout values match policy-defined thresholds.
If any misconfigurations are identified, this is a finding.
Fix
Build or configure the API to revoke access tokens in accordance with organization-defined identification and authentication policy.