Hello,

We have recently upgraded our UAT ISVA cluster to the latest update (11.0.1 IF1) and thanks to an internal pen-test, we have identified that Refresh tokens are not invalidated anymore after being used.

I'm able to call the /token endpoint with the same refresh_token as much as I want, with each call generating a new pair of AT/RT/ID_TOKENS.

-=> Has anyone already noticed this critical change in behavior ? 

As we are using an OIDC policy where we have not enabled the "Do not rotate refresh token" and "Enable multiple refresh tokens for fault tolerance" this seems more like a critical bug than a desired behavior change.

I tested the exact same calls on our production environment (still in 11.0.0) and the refresh tokens are correctly discarded after their first use.

If someone can confirm this, it will be important to advertise that this update (11.0.1 or the IF1) should not go in production for anyone using OIDC/OAuth policies.

I saw this come across their alerts back on October 28:

https://www.ibm.com/mysupport/s/defect/aCIgJ0000006dWXWAY/dt453944?language=en_US&myns=slc&mync=E&cm_sp=slc-_-NULL-_-E

I suspect it may be related.  I had subscribed to it to monitor for updates, but I don't recall seeing any.  I would definitely report to support to make sure they are aware.

Your post peaked my interest as I have not tested that firmware version yet, but refresh tokens not expiring would be a big deal for me and our security teams would likely alert on it as well.

Matt

Hello,

We have recently upgraded our UAT ISVA cluster to the latest update (11.0.1 IF1) and thanks to an internal pen-test, we have identified that Refresh tokens are not invalidated anymore after being used.

I'm able to call the /token endpoint with the same refresh_token as much as I want, with each call generating a new pair of AT/RT/ID_TOKENS.

-=> Has anyone already noticed this critical change in behavior ? 

As we are using an OIDC policy where we have not enabled the "Do not rotate refresh token" and "Enable multiple refresh tokens for fault tolerance" this seems more like a critical bug than a desired behavior change.

I tested the exact same calls on our production environment (still in 11.0.0) and the refresh tokens are correctly discarded after their first use.

If someone can confirm this, it will be important to advertise that this update (11.0.1 or the IF1) should not go in production for anyone using OIDC/OAuth policies.

Hi Matt,

That known issue is exactly what we have observed. I missed the alert unfortunately so we discovered by chance :( 

There seems to exist a "test fix" which IBM support will make available as soon as they can.

Anyway, this is bad news because each time we need to upgrade our ISVA, we do not test 100% of our applications and implementations to make sure something as critical as this has not slipped by. It kind of breaks the trust on the security solution...

I saw this come across their alerts back on October 28:

https://www.ibm.com/mysupport/s/defect/aCIgJ0000006dWXWAY/dt453944?language=en_US&myns=slc&mync=E&cm_sp=slc-_-NULL-_-E

I suspect it may be related.  I had subscribed to it to monitor for updates, but I don't recall seeing any.  I would definitely report to support to make sure they are aware.

Your post peaked my interest as I have not tested that firmware version yet, but refresh tokens not expiring would be a big deal for me and our security teams would likely alert on it as well.

Matt

Hello,

We have recently upgraded our UAT ISVA cluster to the latest update (11.0.1 IF1) and thanks to an internal pen-test, we have identified that Refresh tokens are not invalidated anymore after being used.

I'm able to call the /token endpoint with the same refresh_token as much as I want, with each call generating a new pair of AT/RT/ID_TOKENS.

-=> Has anyone already noticed this critical change in behavior ? 

As we are using an OIDC policy where we have not enabled the "Do not rotate refresh token" and "Enable multiple refresh tokens for fault tolerance" this seems more like a critical bug than a desired behavior change.

I tested the exact same calls on our production environment (still in 11.0.0) and the refresh tokens are correctly discarded after their first use.

If someone can confirm this, it will be important to advertise that this update (11.0.1 or the IF1) should not go in production for anyone using OIDC/OAuth policies.