With OpenIdConnect, when the access_token expires, I use the refresh token to get a new one, and in the response I also have a new refresh token (the first used is revoked).
But it seem it doesn’t work like this with auth0 : the refresh token never expires.
how can I force the generation of a new refresh token when after I called the /oauth/token endpoint with grant_type=refresh token ?
According to our refresh token documentation:
Auth0 handles token revocation as though the token has been potentially exposed to malicious adversaries. Therefore, each revocation request invalidates not only the specific token, but all other tokens based on the same authorization grant. This means that all Refresh Tokens that have been issued for the same user, application, and audience will be revoked .\
This may cause some complications with revoking every token that you use.
Does that make sense?
Hi thanks for you reply.
Where can i find documentation about the way auth0 estimate a token has been stolen ?
We don’t have documentation on how to determine if a refresh token is stolen because there are instances where it wouldn’t be possible to determine such a thing. If you are not following the guidelines described in the document I linked previously, then I would suggest making the changes.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.