When calling Refresh(RefreshToken) I expect that a new access token is provided but it looks like a whole new refresh token is being provided too. Is that intentional?
Yes, if you generate an access token from a refresh token in exchange the refresh token get expired so that no more access token can be generated from that same refresh token.
However, it can be used as long as the access token remains active and get expired once a new access token gets generated.
What is the incorrect thing in this @Phong Vu? If you use a refresh token to generate a new access token, that refresh token get expired. It will generate a new refresh token valid again for 7 days along with access token valid again for 3600 seconds. I am not sure if this is incorrect
My bad about the incorrect message. I got what he asked and you meant now. However, using the word "a refresh token get expired" after refreshing a token is mixing with the situation where the refresh token is expired. The correct statement is that after refreshing an access token, the old refresh token is revoked and a new refresh token with max expiration time is issued.
Is there a type of refresh token that is persistent? One that won't change every time?
I'm trying to avoid concurrent uses of our app stepping on each other's toes when it comes to the refresh token.
The answer is no. If your are using password flow and want to share the access token between all users, you have to manage the token refresh process in a way that other users will have access to the latest tokens.
If you are using 3-legged authorization, each user's login will have its own access and refresh tokens.
Every time you use a valid/unexpired refresh token to exchange for a new access token, you will get a new access token and a new refresh token. The new access token will be valid again for 3600 seconds and the new refresh token will be valid again for 7 days. This helps you avoid re-login as long as you handle this well and your refresh token is not expired.
@Phong Vu is there a way to get a new access token without refreshing the refresh token?
I already answered above.
The answer is no. If your are using password flow and want to share the access token between all users, you have to manage the token refresh process in a way that other users will have access to the latest tokens.
If you are using 3-legged authorization, each user's login will have its own access and refresh tokens.
5 People are following this question.
