Pocket ID OIDC Provider Refresh Token Authorization Bypass Vulnerability

A vulnerability in Pocket ID's OIDC provider allows refresh tokens to be misused after authorization has been revoked, accounts disabled, or clients removed from groups. This issue arises because the 'createTokenFromRefreshToken' function, prior to version 2.6.0, validated the refresh token's integrity but failed to check the user's current authorization status before issuing new tokens. As a result, clients could indefinitely refresh tokens after authorization revocation, disabled accounts could still use refresh tokens, and group restrictions could be bypassed.

Impact

This vulnerability creates a significant security risk by allowing unauthorized access to user identity data and downstream services. It undermines authorization revocation, account disabling, and group-based access controls, creating potential backdoors in sensitive environments.

Reproduction

The vulnerability can be reproduced by obtaining a refresh token through the standard OIDC authorization flow, then revoking authorization, disabling the user account, or removing the user from a restricted group. Despite these actions, the refresh token remains valid and can be used to obtain new access tokens, including sensitive identity information.

Remediation

Users should update to Pocket ID version 2.6.0 or later, where this vulnerability has been fixed.