6819_4_5_3

Obtaining Refresh Token by Online Guessing

An attacker may try to guess valid refresh token values and send it using the grant type 'refresh_token' in order to obtain a valid access token.

OAuth 2.0 Threat Model and Security Considerations (RFC6819, section 4.5.3)

Mitigations

This threat is considered fully mitigated if all the test cases from one of the following test sets succeed.

• Set #1
• Tokens.RefreshTokenEntropyMinReqTest (impact factor: 48%)
• Tokens.RefreshTokenEntropySugReqTest (impact factor: 5%)
• TokenEndpoint.IsRefreshBoundToClientTest (impact factor: 48%)
• Set #2
• TokenEndpoint.IsRefreshBoundToClientTest (impact factor: 50%)
• TokenEndpoint.IsRefreshAuthenticationRequiredTest (impact factor: 50%)

The impact factor is a measure that indicates how important a given countermeasure is towards mitigating a threat.

Back to the threat overview