Open Closed

Help Needed: Token Reuse Issue Across Users and refresh token #9146


User avatar
0
Yaduraj.Shakti created

Please help us with the following scenario:

In our application, we are facing an issue where access tokens issued for one user can potentially be used by another user to make API requests. This is creating a significant security concern regarding token validation.

We attempted to mitigate the risk by reducing the access token lifetime, but this introduces the need to implement refresh tokens, which adds complexity.

Our key requirement is: The access token generated for a specific user/session should only be usable by that same user on the same device or session. No other system or user should be able to reuse or impersonate that token. What is the best practice in ABP.IO (and OpenIddict) to ensure tokens are strictly bound to the original user and device/session? Is there a recommended way to include and validate a session ID, device fingerprint, or user agent for this purpose?

Any guidance on how to implement this securely within the ABP.IO framework would be greatly appreciated.

We followed the documentation here: https://abp.io/docs/8.0/Modules/OpenIddict#refresh-token

Following is the snapshot of our OpenIddict build and server configuration:

ABP Framework version: v8.3.1 UI Type: Angular Database System: EF Core (PostgreSQL) Tiered (for MVC) or Auth Server Separated (for Angular): yes Exception message and full stack trace: NA Steps to reproduce the issue: NA


7 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    access tokens issued for one user can potentially be used by another user to make API requests.

    Why can one user's token be obtained by another user? How did he get it?

    Thanks

  • User Avatar
    0
    Yaduraj.Shakti created

    hi

    access tokens issued for one user can potentially be used by another user to make API requests.

    Why can one user's token be obtained by another user? How did he get it?

    Thanks

    Hi @maliming

    Let me clarify the context further, here is my updated reply:

    During our recent security and penetration testing, we identified a critical vulnerability related to token validation. Specifically, an access token issued for one user can be used by another user or system to access protected resources. This token reuse issue represents a serious security risk.

    We must address this immediately to prevent potential misuse and ensure secure access to our application.

    Please guide on all the possible options. How to achieve followings:

    • Access tokens should be strictly tied to the user, device, or session they were issued for.
    • No other user or system should be able to use someone else’s token to make API requests.

    Thanks

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    It's not only about access tokens, but also the same "problem" with cookies Browsers will strictly protect tokens or cookies. No one can obtain your cookies and tokens.

    We also use common protective measures(HTTPS, XSS, XSRF/CSRF).

    https://learn.microsoft.com/en-us/aspnet/core/security/?view=aspnetcore-9.0

  • User Avatar
    0
    Yaduraj.Shakti created

    Thanks a lot @maliming

    I will ensure that we are using common protective measures.

    However, in our application tokens are short lived and this is impacting

    • user experience with frequent re-authentication
    • technical issues or broken functionality due to token expiration during active use (example: we have long-running background tasks)

    Could you please provide guidance or share an example of how to implement access token + refresh token flow within ABP.IO (Angular + .NET Core backend)? Please note we had recently migrated from IdentityServer to OpenIddict.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    ABP & OpenIddict support the access token + refresh token flow.

    Is there an offline_access scope in your angular environment.ts file?

    
    import { Environment } from '@abp/ng.core';
    
    const baseUrl = 'http://localhost:4200';
    
    const oAuthConfig = {
      //...
      scope: 'offline_access MyProjectName'
    };
    
  • User Avatar
    0
    Yaduraj.Shakti created

    Hi @maliming

    No we don;t have this scope in our environement.ts file.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Ok, you can add it to your scope, the. Angular will use refresh token automatically.

    Thanks

Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
Do you need assistance from an ABP expert?
Schedule a Meeting
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v9.3.0-preview. Updated on April 16, 2025, 12:13