I want to clarify some specific cases, on how the refresh token behaves.
Application settings:
The access token is valid for 24 hours.
Token rotation is enabled.
Leeway is set to 10 seconds.
Absolute lifetime is set to 9 days.
Inactivity time is set to 8 days.
- When the user logs in from that moment the absolute lifetime is considered to be the starting point, and if during the application using the user refreshes to access_token using the refresh token (token rotation is enabled) and the access_token is valid for 24 hours, so normally the user gets a new refresh token every day, does the absolute token lifetime extend at this point or does it stay as when the user first logged in.
- If there are multiple devices using the same credentials to log in to the application are they considered completely isolated or do they still share the same absolute lifetime for the refresh token depending on which device logged in first? Can it also be that one of the users logged out manually or due to refresh token expiration, the other device (which was logged in with the same credentials) be anyhow affected as well?
- We have leeway time set to 10 seconds, but does the token have a number of usage limits, like if the same one will be used 100 times within 10 seconds, will it still be valid?
- If the same refresh token was used 3 times within the leeway time to refresh a token each returning a new refresh token, as I understood any of those 3 new refresh tokens can be used to renew a token, but when you use the first token which gives a new refresh token, the other two will become invalid and only the new token from the first renewal can be used for further renewals?