Headline
CVE-2023-22492: fix: deactivate refresh tokens of deactivated or locked users · zitadel/zitadel@fc892c5
ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user’s session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user’s session was already terminated (“logged out”) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). As a workaround, ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements. This issue has been patched in versions 2.17.3 and 2.16.4.
@@ -64,10 +64,16 @@ func TestCommands_AddAccessAndRefreshToken(t *testing.T) { }, }, { name: "add refresh token, user inactive, error", name: "add refresh token, user deactivated, error", fields: fields{ eventstore: eventstoreExpect(t, expectFilter(), expectFilter( eventFromEventPusher( user.NewUserDeactivatedEvent(context.Background(), &user.NewAggregate("userID", “orgID”).Aggregate, ), ), ), ), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, “refreshTokenID1”), }, @@ -912,6 +918,87 @@ func TestCommands_renewRefreshToken(t *testing.T) { err: caos_errs.IsErrorInvalidArgument, }, }, { name: "user deactivated, error", fields: fields{ eventstore: eventstoreExpect(t, expectFilter( eventFromEventPusherWithCreationDateNow(user.NewHumanRefreshTokenAddedEvent( context.Background(), &user.NewAggregate("userID", “orgID”).Aggregate, "tokenID", "applicationID", "userAgentID", "de", []string{"clientID1"}, []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess}, []string{"password"}, time.Now(), 1*time.Hour, 24*time.Hour, )), eventFromEventPusher( user.NewUserDeactivatedEvent( context.Background(), &user.NewAggregate("userID", “orgID”).Aggregate, ), ), ), ), keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)), }, args: args{ ctx: context.Background(), userID: "userID", orgID: "orgID", refreshToken: base64.RawURLEncoding.EncodeToString([]byte(“userID:tokenID:tokenID”)), idleExpiration: 1 * time.Hour, }, res: res{ err: caos_errs.IsErrorInvalidArgument, }, }, { name: "user signedout, error", fields: fields{ eventstore: eventstoreExpect(t, expectFilter( eventFromEventPusherWithCreationDateNow(user.NewHumanRefreshTokenAddedEvent( context.Background(), &user.NewAggregate("userID", “orgID”).Aggregate, "tokenID", "applicationID", "userAgentID", "de", []string{"clientID1"}, []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess}, []string{"password"}, time.Now(), 1*time.Hour, 24*time.Hour, )), eventFromEventPusher( user.NewHumanSignedOutEvent( context.Background(), &user.NewAggregate("userID", “orgID”).Aggregate, "userAgentID", ), ), ), ), keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)), }, args: args{ ctx: context.Background(), userID: "userID", orgID: "orgID", refreshToken: base64.RawURLEncoding.EncodeToString([]byte(“userID:tokenID:tokenID”)), idleExpiration: 1 * time.Hour, }, res: res{ err: caos_errs.IsErrorInvalidArgument, }, }, { name: "token renewed, ok", fields: fields{
Related news
### Impact RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user’s session was already terminated (“logged out”) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). ### Patches 2.x versions are fixed on >= [2.17.3](https://github.com/zitadel/zitadel/releases/tag/v2.17.3) 2.16.x versions are fixed on >= [2.16.4](https://github.com/zitadel/zitadel/releases/tag/v2.16.4) ZITADEL recommends upgrading to the latest versions available in due course. ### Workarounds Ensure the RefreshTokenExpiration in the OIDC settings of your instance is set ...