Disabling refresh token rotation > impact?

zenonz · February 28, 2023, 10:34am

Simple question – but one for which I couldn’t see the answer in any docs or threads.

We currently have refresh token rotation enabled. However, I would like to turn it off as the security benefits are not so significant in our use case, and we don’t want users to require internally managing and renewing a long-lived token every 6 months.

I want to understand if disabling it will affect current tokens – i.e. will existing refresh tokens be invalidated or face issues (other than their existing expiry being in force).

We have production users using these for automated API queries so I need to be sure of this before toggling it off… and it’s just not clear anywhere if switching from enabled > disabled has such consequences.

tyf · March 2, 2023, 1:46am

Hi there @zenonz welcome to the community!

When you disable the rotation, it will have one last rotation. The last rotation will give you a non rotating RT so it shouldn’t have a negative effect on the users.

Hope this helps!

zenonz · March 6, 2023, 9:54am

Thanks! That helps a lot, situation clarified

system · March 20, 2023, 9:54am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Impact to the Existing Non-Rotating Refresh Tokens when Rotational Refresh Token Option is Enabled Knowledge Articles	1	385	December 11, 2023
When does a refresh token become invalid? Help auth0 , authentication , refresh-tokens	3	2233	July 12, 2022
Is it possible to have refresh token rotation with sliding expiry? Help sessions , rotating-refresh-tokens	2	24	September 10, 2024
How long is the Refresh token valid if the rotation is not set Help sessions , reusable-refresh-tokens	2	16	August 19, 2024
Achieving a Seamless User Experience with Refresh Token Inactivity Lifetimes Blog Discussions	5	3148	May 18, 2023

Disabling refresh token rotation > impact?

Related Topics