Refresh token grace period

Regarding refresh tokens, is the following correct?

  • There is only one valid refresh token at any given time
  • Refresh token is re-used and the old token is invalidated every time the “refresh token request” is sent to Auth0
    If that’s correct then we have the following situation
  1. We sent a “refresh token” request. The request has timed out (we have a network timeout exception on our side). We never got the responce back due to a random network issue. But it looks like the request itself did reach Auth0 and tokens were re-issued on Auth0 side.
  2. We retried with the old tokens and got “Refresh token invalid or expired”.
    Basically if refresh token request fails like described above there is no way to retry. The sync is performed by a background app without user intervention so we cannot “redirect to Auth0 for re-authentication” when this happens.
    Does it make sense? Any advice how to mitigate this issue? This happened only once so far but because refresh token requests are being sent pretty often I think this will happen again.

Hi @imranismail,

Welcome to the Community!

Are you using a SPA? If so, this is the only refresh token flow that is available for SPAs, and you will have to find a way to prompt for reauthentication if there is an invalid refresh token.

How does your app initially check for whether or not a user is logged in/has a refresh token?

Let me know,

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.