Insecure token expiration configuration

Severity
Medium
Applies to
OAuthV2
Links
CWE-613

Why This Issue Is Important

Access and refresh tokens with insecurely long expiration times increase the risk of unauthorized access. Long-lived tokens may expose the system to abuse by allowing malicious actors to retain access to sensitive resources for extended periods, especially if the tokens are compromised.

  • Access tokens should expire in a reasonable time frame (e.g., one hour) to limit exposure.
  • Refresh tokens should expire within a day to reduce the risk of misuse in case they are stolen.

Failure to set appropriate expiration times leads to prolonged access beyond the necessary period, which weakens the security of the system and can lead to exploitation of the tokens.

How This Issue Is Detected

This issue is detected by inspecting the Apigee policy's configuration for the GenerateAccessToken operation. If the expiration time (ExpiresIn) for the access token exceeds one hour (60 minutes) or is set to -1 (indicating no expiration), or if the refresh token expiration time (RefreshTokenExpiresIn) exceeds one day (24 hours), the rule is triggered, marking the configuration as insecure.

How to Fix the Issue

To secure the access and refresh tokens:

  • Ensure that ExpiresIn is set to a value no greater than 60 * 60 * 1000 (1 hour). 
  • Ensure that RefreshTokenExpiresIn is set to a value no greater than 60 * 60 * 24 * 1000 (24 hours).
<ExpiresIn>3600000</ExpiresIn> <!-- 1 hour -->
<RefreshTokenExpiresIn>86400000</RefreshTokenExpiresIn> <!-- 24 hours -->