Okta app refresh token reused
Description
AlphaSOC detected that an Okta app refresh token was reused. Refresh tokens are designed for single use to obtain new access tokens. When a refresh token is reused, it may indicate that threat actors have intercepted or stolen the token and are attempting to maintain persistent access to the application.
Impact
Although Okta automatically invalidates the most recent refresh token and all associated access tokens issued since user authentication, attempts to authenticate with a reused refresh token should be investigated as they may indicate an ongoing compromise.
Severity
| Severity | Condition |
|---|---|
Informational | Okta app refresh token reused |
Investigation and Remediation
Review Okta system logs to identify the source of the token reuse, including IP addresses, user agents, and timestamps. Verify whether the activity aligns with legitimate user behavior or automated processes. If the activity appears unauthorized, revoke all active sessions for the affected user, enforce a password reset, and monitor the environment for additional suspicious activity and indicators of compromise.