We have a native app that uses refresh tokens with PKCE. It fairly regularly works. However, there are times when we get an “Invalid Refresh Token” error back, which results in an HTTP 403 error.
Can someone explain how/why this would happen? I can confirm that the refresh token sent is not revoked. As a sample, based on our logs it looks like we have seen this 13 times in the past 10 days, and have seen a successful exchange 1300 times.
Would Auth0 consider a refresh token invalid if someone logged in with the same account and got a more recent refresh token, for example? If a person has 2 devices and one account, would the latest refresh token be the only valid one?
I did a bit of research and found at least one cause of this situation. Logging in with the same account on Device A and Device B DOES NOT invalidate any refresh tokens. However, if on Device B the user logs out (which in our case revokes that refresh token from Device B), the refresh token from Device A then also becomes invalid.
Is this expected behavior? If an account has 2 refresh tokens active (due to 2 devices), would revoking one of them invalidate both of refresh tokens?
That is correct.
For security reasons, when you revoke a token the grants associated with that token are deleted. This means that all other refresh tokens issued to the same combination of application, user and audience effectively become invalid.