OAuth access token without expiry

Vulnerability Explanation

In this issue, the application generates OAuth access tokens that do not expire or lack proper expiration handling. This means that once an attacker gets hold of a valid token (ex, through session hijacking, XSS, or insecure storage), they can continue to use it indefinitely to access the victim's account; without needing to know the user's password.

Since OAuth tokens are meant to be temporary, long-lived or never-expiring tokens defeat the core principle of access token security. Tokens must expire to limit the impact of their theft or misuse.

A typical attack scenario involves capturing a valid token from a legitimate login (via browser traffic or insecure storage) and then replaying it from another browser. Even after a failed login attempt, the attacker can forcefully inject the captured token to bypass authentication and gain access.

Vulnerability Impact

This vulnerability allows persistent unauthorized access if a stolen token is reused. It enables attackers to compromise user accounts without knowing their passwords and significantly increases the risk of session hijacking or impersonation. Additionally, it breaks the intended OAuth token lifecycle and trust model, making token revocation and session control ineffective.

Vulnerability Solution

• Ensure all access tokens have a short expiration time (e.g., 15–60 minutes). Use refresh tokens for long-term sessions with strict expiration and revocation policies.
• Rotate tokens on each use or session renewal to prevent replay attacks.
• Associate access tokens with client metadata like IP address, user-agent, or device ID. Reject mismatched requests.
• Never store tokens in insecure places (e.g., localStorage, URLs). Always use HTTPS to transmit token-related data.