7009_1

Abuse of revoked tokens

Leaked (and potentially long-lived) access or refesh tokens that cannot be revoked may enable an attacker to impersonate a user.

OAuth 2.0 Token Revocation (RFC7009, section 2.1)

Mitigations

This threat is considered fully mitigated if all the test cases from the following test set succeed.

• Set #1
• Revocation.AccessRevokesRefreshTest
• Revocation.CanAccessTokensBeRevokedTest
• Revocation.CanRefreshTokensBeRevokedTest
• Revocation.RefreshRevokesAccessTest

Back to the threat overview