Regarding refresh tokens, is the following correct?
- There is only one valid refresh token at any given time
- Refresh token is re-used and the old token is invalidated every time the “refresh token request” is sent to Auth0
If that’s correct then we have the following situation
- We sent a “refresh token” request. The request has timed out (we have a network timeout exception on our side). We never got the responce back due to a random network issue. But it looks like the request itself did reach Auth0 and tokens were re-issued on Auth0 side.
- We retried with the old tokens and got “Refresh token invalid or expired”.
Basically if refresh token request fails like described above there is no way to retry. The sync is performed by a background app without user intervention so we cannot “redirect to Auth0 for re-authentication” when this happens.
Does it make sense? Any advice how to mitigate this issue? This happened only once so far but because refresh token requests are being sent pretty often I think this will happen again.