I am trying to figure out a way to only have 1 refresh token per user as suppose to just getting one every time the individual logs in. This means I need either check if I have a non blacklisted refresh token just before authentication and alter the scope or just after I have authenticated. Ideally, I would want to do this after the authentication process so I don’t need to check the database every failed login attempt. Is there a way to get a refresh token post authentication?
The only way to get a refresh token would be to issue a new authorize request with the
offline_access scope. But if the user has a session and has previously gave consent to the application for offline access, then the user might not see any interactive prompts.