Closed
Description
Expected Behavior
Refresh token used on the refresh_token grant type flow should be invalidated after the new one has been issued.
Current Behavior
Previously used refresh token can still be used even though the server generates a new one.
Context
According to the specification (https://www.rfc-editor.org/rfc/rfc6749#section-5.2):
The authorization server MAY revoke the old
refresh token after issuing a new refresh token to the client.
At the moment, it is only possible to change the server's configuration to make it issue a new refresh token on each request instead of reusing the same one over again. We're looking for a similar approach that aims to revoke the previous token at the same time to provide better security.