The token lifetime is independent of whether the access token a JWT or unstructured. You should get a new access token for every new grant request. If you get a refresh token from the auth code response, it's expected to be a new value and unrelated to any previous ones because it's a new grant. And since you can't use the auth code more than once, the rest of your question goes astray - there is nothing to rotate because it's all new.
It doesn't matter how you got a refresh token, it's always up to the AS whether it wants to rotate the value when you use it. - Justin ________________________________ From: Indeewari Wijesiri <indeewa...@gmail.com> Sent: Friday, August 2, 2024 7:36 AM To: Warren Parad <wpa...@rhosys.ch> Cc: oauth@ietf.org <oauth@ietf.org> Subject: [OAUTH-WG] Re: Refresh Token Rotation Hi Warren, Thank you for your attention. When public web clients use the authorization code grant for authentication, a successful response includes an access token and, optionally, a refresh token. If the access token is a JWT rather than an opaque token, the identity server will issue a new JWT access token for each authentication request with the same client_id and scope, based on the "issued at" (iat) claim. This means each authentication attempt generates a new JWT access token. In this context, how should the refresh token behave? Is it advisable to use a long-lived refresh token in conjunction with the JWT access token, or should the refresh token be rotated each time a new JWT access token is issued? For opaque access tokens, since they are not renewed with each request, a long-lived refresh token can be used. Thanks and regards On Fri, Aug 2, 2024 at 4:38 PM Warren Parad <wpa...@rhosys.ch<mailto:wpa...@rhosys.ch>> wrote: Indeewari, I'm confused regarding what you are describing. Would you be able to give additional context? - Warren On Fri, Aug 2, 2024 at 11:25 AM Indeewari Wijesiri <indeewa...@gmail.com<mailto:indeewa...@gmail.com>> wrote: Hi all, Refresh token rotation, which involves issuing a new refresh token each time an access token is renewed, is the default for the refresh grant. Do we follow the same practice for the authorization code grant and password grant as well? What is the recommended practice between long-lived refresh tokens and refresh token rotation for these grants? Additionally, is there a specific requirement for refresh token rotation with JWT access tokens in the authorization code grant and password grant, given that JWT access tokens are renewed per request? Thanks and Regards -- Indeewari Wijesiri _______________________________________________ OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org> To unsubscribe send an email to oauth-le...@ietf.org<mailto:oauth-le...@ietf.org> -- Indeewari Wijesiri Associate Technical Lead, WSO2 Inc
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
