In the past, customers brought to our attention that some clients were not
able to receive a new refresh_token and use it right away. For that use
case we added a different type of rotation. The new refresh_token was
exactly the same as the given one. Except that it had a new expiration
date, lifet
On Oct 6, 2020, at 16:05, Aaron Parecki wrote:
> However that also kind of defeats the purpose since attacks within that grace
> period would be hard to detect. I'm looking for an idea of where people have
> landed on that issue in practice.
This is effectively a race condition, and a grace per
> Am 07.10.2020 um 09:20 schrieb Neil Madden :
>
>
>
>>> On 6 Oct 2020, at 23:05, Aaron Parecki wrote:
>>>
>>
>> Hi all, I have a couple questions for those of you who have implemented
>> refresh token rotation...
>>
>> Have you included the option of a grace period on refresh token use
