Refresh token expiry cases

I want to clarify some specific cases, on how the refresh token behaves.

Application settings:
The access token is valid for 24 hours.
Token rotation is enabled.
Leeway is set to 10 seconds.
Absolute lifetime is set to 9 days.
Inactivity time is set to 8 days.

  1. When the user logs in from that moment the absolute lifetime is considered to be the starting point, and if during the application using the user refreshes to access_token using the refresh token (token rotation is enabled) and the access_token is valid for 24 hours, so normally the user gets a new refresh token every day, does the absolute token lifetime extend at this point or does it stay as when the user first logged in.
  2. If there are multiple devices using the same credentials to log in to the application are they considered completely isolated or do they still share the same absolute lifetime for the refresh token depending on which device logged in first? Can it also be that one of the users logged out manually or due to refresh token expiration, the other device (which was logged in with the same credentials) be anyhow affected as well?
  3. We have leeway time set to 10 seconds, but does the token have a number of usage limits, like if the same one will be used 100 times within 10 seconds, will it still be valid?
  4. If the same refresh token was used 3 times within the leeway time to refresh a token each returning a new refresh token, as I understood any of those 3 new refresh tokens can be used to renew a token, but when you use the first token which gives a new refresh token, the other two will become invalid and only the new token from the first renewal can be used for further renewals?

Hi Mukhamed,

Welcome to Auth0 Community!

I will try and answer your questions below:

  1. A user may authenticate and start the clock running on the absolute lifetime setting. In the interim period a user may gain new refresh tokens via rotation and access tokens when they expire. The absolute lifetime will not reset at any point, when the absolute lifetime comes to an end the end user will need to re-authenticate.

  2. I believe the same user logging into two devices onto the same app will both have their own token absolute lifetimes i.e. they are not shared.

  3. I have not seen any evidence of usage instructions therefore I would expect the scenario to be valid.

  4. In the leeway window only the previous token can be used. If the second to last token for example is used then breach detection will trigger.

More info on this can be found here Configure Refresh Token Rotation

Many thanks

1 Like

Thanks for contributing to community and helping on this one Saqib!