Duende IdentityServer Improper Authentication Vulnerability in Token Renewal Endpoint

A vulnerability exists in Duende IdentityServer 4 within the Token Renewal Endpoint, specifically in the /connect/authorize file. The issue arises from improper authentication handling of the id_token_hint parameter, allowing for the reuse of expired tokens to generate new valid tokens without re-authentication. This vulnerability can be exploited remotely and is considered to have high complexity.

Impact

Exploitation of this vulnerability allows for improper authentication, enabling an attacker to bypass authentication mechanisms and gain unauthorized access to user accounts. This is achieved by reusing expired tokens to obtain new valid tokens, thereby maintaining access without credentials or multi-factor authentication.

Reproduction

To reproduce this vulnerability, first authenticate a user in the application. Then, intercept a silent token renewal request sent to the /connect/authorize endpoint. This request should include the id_token_hint parameter with a valid JWT token, as well as the prompt=none parameter. After the token expires, resend the intercepted request using an interception tool like Burp Suite Repeater, without any modifications. The server will respond with a new valid id_token and access_token, demonstrating the improper validation of token expiration.