Hi Warren, Thank you for your attention.
When public web clients use the authorization code grant for authentication, a successful response includes an access token and, optionally, a refresh token. If the access token is a JWT rather than an opaque token, the identity server will issue a new JWT access token for each authentication request with the same client_id and scope, based on the "issued at" (iat) claim. This means each authentication attempt generates a new JWT access token. In this context, how should the refresh token behave? Is it advisable to use a long-lived refresh token in conjunction with the JWT access token, or should the refresh token be rotated each time a new JWT access token is issued? For opaque access tokens, since they are not renewed with each request, a long-lived refresh token can be used. Thanks and regards On Fri, Aug 2, 2024 at 4:38 PM Warren Parad <wpa...@rhosys.ch> wrote: > Indeewari, > > I'm confused regarding what you are describing. Would you be able to give > additional context? > > - Warren > > On Fri, Aug 2, 2024 at 11:25 AM Indeewari Wijesiri <indeewa...@gmail.com> > wrote: > >> Hi all, >> >> Refresh token rotation, which involves issuing a new refresh token each >> time an access token is renewed, is the default for the refresh grant. Do >> we follow the same practice for the authorization code grant and password >> grant as well? What is the recommended practice between long-lived refresh >> tokens and refresh token rotation for these grants? >> >> Additionally, is there a specific requirement for refresh token rotation >> with JWT access tokens in the authorization code grant and password grant, >> given that JWT access tokens are renewed per request? >> >> Thanks and Regards >> -- >> >> Indeewari Wijesiri >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-le...@ietf.org >> > -- Indeewari Wijesiri Associate Technical Lead, WSO2 Inc
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
