Problem statement
If quick successive calls are made to the “/oauth/token” endpoint, it will return the same token (i.e. multiple requests in a second). Is there a way to disable caching on the Auth0 side in order to return a unique token on each request?
Symptoms
The same token returned within the same second for two calls with the same payload.
Steps to reproduce
Call the /oauth/token endpoint with the same payload rapidly (>2 calls in one second).
Troubleshooting
Check timings on access tokens.
Cause
The same token is issued when these requests are processed within the same second because the payload hasn’t changed, and the returned claims are also identical. Most importantly, in this case, the iat and exp claims are the same as the previous call, as they only have a maximum resolution of 1 second.
When the values of these claims change, such as the server processing the request in the next second, then you will get a token with a different payload (as the token was issued at and expires one second later than the previous token), and thus the signature will also change. As the RS256 algorithm is deterministic, the same header and payload will always result in the same signature.
Solution
It is recommended to cache tokens, but if a use case requires a unique token regardless of timings on the call for the same payload, add a custom claim GUID on Machine to Machine (M2M) flows to ensure the returned tokens are unique, as this will result in a differing payload regardless of the rate of requests.