Connect2id server 14.2 introduces reuse grace period for rotated refresh tokens
The current OAuth 2.0 best practices mandate refresh tokens issued to public clients to be either sender-constrained (with mTLS or DPoP) or rotated, to prevent replay if the refresh token suffers a leak and gets in the hands of a malicious actor.
One recognised drawback of rotation is potential false positives for legitimate
public clients with a slow or poor network connection, which may lead to
situations when the OAuth 2.0 server has successfully processed the
token request and output the
response with new newly
minted access and refresh tokens, but the client being unable to retrieve them
due to an HTTP timeout or an interrupted connection. The client will then
typically retry the request with the previous refresh token, but because the
server has flagged that token as already rotated the client will get an
To mitigate such networking issues the Connect2id server introduces a short grace period during which the client may retry the token request with the same refresh token. This grace period is 5 seconds. To change it we added a new configuration property:
To monitor the frequency of rotated refresh token reuses - those that were allowed to proceed within the grace period and those that were rejected, two new meters were added:
authzStore.rotatedRefreshTokenAllowedReuses-- Meters allowed reuses of rotated refresh tokens within the configured grace period.
authzStore.rotatedRefreshTokenReplayRevocations-- Meters authorisation revocations due to rotated refresh token replay.
Example rotated refresh token reuse within the grace period (grep for
INFO TOKEN - [OP6204] Confidential client authenticated: client_id=etxmlfglafhn2 method=client_secret_basic client_auth_id=dUEgk8M0Bue_5AJR INFO AUTHZ-STORE - [AS0285] Expended refresh token check: Allowed reuse within 1s: last_token_iat=1689583263 checked_token_iat=1689583257 INFO AUTHZ-STORE - [AS0280] Issued access token: sub=alice act= client_id=etxmlfglafhn2 scope=[read, write]
Example rotated refresh token reuse that was denied and triggered the customary
revocation of the client's tokens for the subject (grep for
INFO TOKEN - [OP6204] Confidential client authenticated: client_id=hxds4i5olwtqc method=client_secret_basic client_auth_id=PNRC_b0DADRbx0Xx INFO AUTHZ-STORE - [AS0278] Revoked authorizations due to replay of rotated self-contained refresh token: sub=alice act=null client_id=hxds4i5olwtqc INFO AUTHZ-STORE - [AS0270] Invalid or expired refresh token: client_id=hxds4i5olwtqc INFO TOKEN - [OP6201] Token error response: invalid_grant: Invalid grant
This release also fixes two store related bugs that appeared in major 14.0 release last month. You can find more information in the release notes below.
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 14.2: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
Connect2id server 14.2 WAR package: c2id.war
GPG signature: c2id.war.asc
Apache Tomcat package with Connect2id server 14.2: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
Connect2id server 14.2 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
- authzStore.refreshToken.rotatedReuseGracePeriod -- New optional configuration property specifying a grace period in seconds during which a client may repeat a request with the same rotated refresh token without triggering the customary token revocation. Intended to enable token request retrial on slow / poor networks where the HTTP response times out after issue of the new token. Currently supported only for refresh tokens linked to short-lived (transient) authorisations. The default value is 5 seconds.
- A client may repeat a token request with a rotated refresh token within the configured "authzStore.refreshToken.rotatedReuseGracePeriod" period without triggering the customary token revocation when the Connect2id detects a replay of a rotated refresh token. Intended to enable token request retrial on slow / poor networks where the HTTP response times out after issue of the new token. Currently supported only for refresh tokens linked to short-lived (transient) authorisations.
"authzStore.rotatedRefreshTokenReplayRevocations" -- New meter of authorisation revocations due to rotated refresh token replay.
"authzStore.rotatedRefreshTokenAllowedReuses" -- New meter of the allowed reuses of rotated refresh tokens within the configured grace period.
Fixes Redis HMGET retrieval of the "last used" (u) field in the Infinispan Redis connector that caused subject session max_idle > 0 to not be observed in Connect2id server deployments with a Redis store (issue server/899).
Writes to Oracle database CLOB / NCLOB fields with long strings that trigger the string concatenation work-around must escape quote chars (issue sql-store/20).
Updates to com.nimbusds:oauth2-authz-store:24.5.1
Updates Infinispan to 14.0.11.Final
Updates to com.nimbusds:infinispan-cachestore-sql:7.0.4
Updates to com.nimbusds:infinispan-cachestore-redis:10.0.2
Updates to BouncyCastle 1.74
Updates to com.google.crypto.tink:tink:1.9.0