Sign in Subscribe
Concepts

Session Replay Attacks in OAuth 2.0

Andrios Robert

1 min read

A silent attacker watches your OAuth 2.0 session. One replay, and they own the request, the token, the access.

Session replay in OAuth 2.0 happens when a valid authorization request, code, or token is captured and reused without the user’s consent. It bypasses login, it ignores expiration, it moves like the original event. The protocol itself does not stop it. Only proper implementation and hardened defenses will.

OAuth 2.0 uses tokens—authorization codes, access tokens, refresh tokens—to manage identity and permissions. If one of these is intercepted, a replay attack can make a backend accept it as if it were new. Common vectors include insecure redirects, unencrypted transport, poorly scoped tokens, and missing state parameters. Any gap in transport-layer security can give the attacker a full key to the kingdom.

To prevent session replay, enforce TLS everywhere with strong cipher suites. Validate state parameters on every OAuth 2.0 authorization request. Bind tokens to the client and user context with techniques like sender-constrained tokens or proof-of-possession. Use short-lived access tokens and rotate refresh tokens frequently. Audit redirect URIs and block any that aren’t explicitly whitelisted. Instrument logging to detect anomalies—same token used from different IPs, rapid request bursts, odd geolocation patterns.

Advanced defenses include Mutual TLS (mTLS) for token endpoints, token introspection to verify active status before each request, and signed JWT access tokens with strict audience and issuer claims. OAuth 2.1 draft recommendations reduce replay risk by removing the Implicit Grant and enforcing PKCE for all code exchanges. PKCE (Proof Key for Code Exchange) turns the authorization code into a one-time-use artifact by hashing a secret that only the client can produce.

Session replay attacks prey on trust—you trust the token is fresh, genuine, and yours. A secure OAuth 2.0 flow demands constant verification. Every endpoint, every parameter, every handshake must be locked down.

The cost of a single replay can be total compromise. The fix is precise engineering at every stage of the OAuth 2.0 lifecycle.

See how secure flows crush session replay in minutes—visit hoop.dev and run it live.