I am trying to figure out a way to only have 1 refresh token per user as suppose to just getting one every time the individual logs in. This means I need either check if I have a non blacklisted refresh token just before authentication and alter the scope or just after I have authenticated. Ideally, I would want to do this after the authentication process so I don’t need to check the database every failed login attempt. Is there a way to get a refresh token post authentication?
The only way to get a refresh token would be to issue a new authorize request with the
offline_access scope. But if the user has a session and has previously gave consent to the application for offline access, then the user might not see any interactive prompts.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.