Problem statement
We have noticed that quick successive calls to the “/oauth/token” endpoint return the same token (i.e multiple requests in a second). Is there a way to disable caching on the Auth0 side? We would like it so that each call will return a unique token.
Symptoms
The same token returned within the same second for two calls with the same payload.
Steps to reproduce
Call the /oauth/token endpoint with the same payload rapidly (>2 calls in one second).
Troubleshooting
Check timings on access tokens.
Cause
The same token is issued when these requests are processed within the same second because the payload hasn’t changed, and the returned claims are also identical. Most importantly, in this case, the iat
and exp
claims are the same as the previous call, as they only have a maximum resolution of 1 second.
When the values of these claims change, such as the server processing the request in the next second, then you will get a token with a different payload (as the token was issued at and expires one second later than the previous token), and thus the signature will also change. As the RS256 algorithm is deterministic, the same header and payload will always result in the same signature.
Solution
You should cache tokens. But if your use case requires a unique token regardless of timings on the call for the same payload, you can add a custom claim GUID on M2M flows to ensure the returned tokens are unique, as this will result in different payload regardless of the rate of requests.