In other words, refresh token rotation is not specific to the refresh token
grant, it applies to the use of any refresh token regardless of how it's
obtained.
Aaron
On Fri, Aug 2, 2024 at 6:08 AM Justin Richer wrote:
> The token lifetime is independent of whether the access token a JWT or
> un
The token lifetime is independent of whether the access token a JWT or
unstructured. You should get a new access token for every new grant request. If
you get a refresh token from the auth code response, it's expected to be a new
value and unrelated to any previous ones because it's a new grant.
This errata looks correct to me, we should confirm it.
From: RFC Errata System
Sent: Wednesday, July 31, 2024 9:26 AM
To: m...@microsoft.com ; ve7...@ve7jtb.com
; n-sakim...@nri.co.jp ;
debcool...@gmail.com ; paul.wout...@aiven.io
; hannes.tschofe...@arm.com ;
Hi Warren,
Thank you for your attention.
When public web clients use the authorization code grant for
authentication, a successful response includes an access token and,
optionally, a refresh token. If the access token is a JWT rather than an
opaque token, the identity server will issue a new JWT
Indeewari,
I'm confused regarding what you are describing. Would you be able to give
additional context?
- Warren
On Fri, Aug 2, 2024 at 11:25 AM Indeewari Wijesiri
wrote:
> Hi all,
>
> Refresh token rotation, which involves issuing a new refresh token each
> time an access token is renewed, i
Hi all,
Refresh token rotation, which involves issuing a new refresh token each
time an access token is renewed, is the default for the refresh grant. Do
we follow the same practice for the authorization code grant and password
grant as well? What is the recommended practice between long-lived ref
