Description
Feature Description
When refresh token invalidation is enabled and refresh token replay attack is detected, Gitea should invalidate all refresh tokens for the client following OAuth security best practice https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-23#section-4.14.2
Refresh token rotation: the authorization server issues a new refresh token with every access token refresh response. The previous refresh token is invalidated but information about the relationship is retained by the authorization server. If a refresh token is compromised and subsequently used by both the attacker and the legitimate client, one of them will present an invalidated refresh token, which will inform the authorization server of the breach. The authorization server cannot determine which party submitted the invalid refresh token, but it will revoke the active refresh token. This stops the attack at the cost of forcing the legitimate client to obtain a fresh authorization grant.
Currently Gitea simply rejects the replayed refresh token and logs a message ;
A client tried to use a refresh token for grant_id = %d was used twice!