Authorization Code Grant Flow & Refresh Token Flow

[zecarlos94]

Hi! I have the following use case: Login process using authorization code grant flow which provides both an access_token (with TTL: 1h) and a refresh_token (with TTL: 12h)

The goal here is to generate 1 access token and 1 refresh token after a successful login and then keep generating new access tokens (after previous one expires) until the initial refresh token is no longer valid forcing user to login again. Using these TTLs it should generate 13 access tokens and only 1 refresh token per login session.

When I try to get a new access token using the refresh token, after the first access token expired, what happens is:

1. a new access token is generated (with TTL: 1h)
2. a new refresh token is generated as well (with TTL: 12h)
3. the initial refresh token which had another 11h (12h -1h) is inactive (was invalidated/revoked)

What I need to know is:

• Does hydra invalidate/revoke a refresh token after being used 1 time?? (I’m getting 403 when performing introspection on it)
• What is the best way to get a new access tokens using the initial refresh token? (docs do not mention how to implement the Refresh Token Flow - https://oauth.net/2/refresh-tokens/)

PS: I’m using this Oauth2 lib https://www.npmjs.com/package/simple-oauth2

[vinckr]

For reference, see the same discussion in the Ory Community archive:
https://archive.ory.sh/t/2683625/you-can-t-use-a-refresh-token-more-than-once-that-would-be-a

Does hydra invalidate/revoke a refresh token after being used 1 time

Can you maybe point to some third party documentation that describes what you are trying to do @zecarlos94 ? I think there is some misunderstanding as to how OAuth2 works.