Abuse of revoked tokens

Leaked (and potentially long-lived) access or refesh tokens that cannot be revoked may enable an attacker to impersonate a user.

OAuth 2.0 Token Revocation (RFC7009, section 2.1)


This threat is considered fully mitigated if all the test cases from the following test set succeed.

Back to the threat overview