Please help us with the following scenario:
In our application, we are facing an issue where access tokens issued for one user can potentially be used by another user to make API requests. This is creating a significant security concern regarding token validation.
We attempted to mitigate the risk by reducing the access token lifetime, but this introduces the need to implement refresh tokens, which adds complexity.
Our key requirement is: The access token generated for a specific user/session should only be usable by that same user on the same device or session. No other system or user should be able to reuse or impersonate that token. What is the best practice in ABP.IO (and OpenIddict) to ensure tokens are strictly bound to the original user and device/session? Is there a recommended way to include and validate a session ID, device fingerprint, or user agent for this purpose?
Any guidance on how to implement this securely within the ABP.IO framework would be greatly appreciated.
We followed the documentation here: https://abp.io/docs/8.0/Modules/OpenIddict#refresh-token
Following is the snapshot of our OpenIddict build and server configuration:
ABP Framework version: v8.3.1 UI Type: Angular Database System: EF Core (PostgreSQL) Tiered (for MVC) or Auth Server Separated (for Angular): yes Exception message and full stack trace: NA Steps to reproduce the issue: NA
7 Answer(s)
-
0
hi
access tokens issued for one user can potentially be used by another user to make API requests.
Why can one user's token be obtained by another user? How did he get it?
Thanks
-
0
hi
access tokens issued for one user can potentially be used by another user to make API requests.
Why can one user's token be obtained by another user? How did he get it?
Thanks
Hi @maliming
Let me clarify the context further, here is my updated reply:
During our recent security and penetration testing, we identified a critical vulnerability related to token validation. Specifically, an access token issued for one user can be used by another user or system to access protected resources. This token reuse issue represents a serious security risk.
We must address this immediately to prevent potential misuse and ensure secure access to our application.
Please guide on all the possible options. How to achieve followings:
- Access tokens should be strictly tied to the user, device, or session they were issued for.
- No other user or system should be able to use someone else’s token to make API requests.
Thanks
-
0
hi
It's not only about access tokens, but also the same "problem" with cookies Browsers will strictly protect tokens or cookies. No one can obtain your cookies and tokens.
We also use common protective measures(
HTTPS, XSS, XSRF/CSRF).https://learn.microsoft.com/en-us/aspnet/core/security/?view=aspnetcore-9.0
-
0
Thanks a lot @maliming
I will ensure that we are using common protective measures.
However, in our application tokens are short lived and this is impacting
- user experience with frequent re-authentication
- technical issues or broken functionality due to token expiration during active use (example: we have long-running background tasks)
Could you please provide guidance or share an example of how to implement access token + refresh token flow within ABP.IO (Angular + .NET Core backend)? Please note we had recently migrated from IdentityServer to OpenIddict.
-
0
hi
ABP & OpenIddict support the
access token + refresh token flow.Is there an
offline_accessscope in your angularenvironment.tsfile?import { Environment } from '@abp/ng.core'; const baseUrl = 'http://localhost:4200'; const oAuthConfig = { //... scope: 'offline_access MyProjectName' }; -
0
Hi @maliming
No we don;t have this scope in our environement.ts file.
-
0
Ok, you can add it to your scope, the. Angular will use refresh token automatically.
Thanks
