Skip to content

Revoke tokens when authorization code replay is detected (RFC 6749 Section 10.5) #37

New issue
New issue
Open
Open
Revoke tokens when authorization code replay is detected (RFC 6749 Section 10.5)#37
@leodip

Description

@leodip
leodip
opened on Nov 29, 2025

Summary

Implement token revocation when multiple attempts to exchange the same authorization code are detected, as recommended by RFC 6749 Section 10.5.

Background

RFC 6749 Section 10.5 states:

If the authorization server observes multiple attempts to exchange an authorization code for an access token, the authorization server
SHOULD attempt to revoke all access tokens already granted based on the compromised authorization code.

This is a defense-in-depth measure. If an attacker intercepts an authorization code and attempts to use it after the legitimate client has
already exchanged it, the server should revoke the tokens issued to the legitimate client. This alerts the system to a potential breach
and limits the damage from a compromised code.

Current Behavior

When a used authorization code is presented at the token endpoint:

  1. GetCodeByCodeHash(..., codeHash, false) returns nil (filters for used = false)
  2. Token endpoint returns invalid_grant error
  3. Previously issued tokens remain valid

Proposed Behavior

When a used authorization code is presented:

  1. Detect the replay attempt (query for the code without the used filter)
  2. Find all refresh tokens associated with that code_id
  3. Revoke them by setting revoked = true
  4. Log an audit event (e.g., AuditAuthCodeReplayDetected)
  5. Return invalid_grant error (same as current)

Implementation Notes

  • Add a new query or modify GetCodeByCodeHash to optionally return used codes for replay detection
  • Query refresh_tokens table by code_id to find tokens to revoke
  • Consider rate limiting or additional logging for forensic purposes
  • Access tokens are JWTs and cannot be revoked directly, but revoking refresh tokens prevents further token renewal

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions