Refresh token rotation: Automatic reuse detection issue in iOS app

Problem statement

We have been recently facing a production issue related to the behavior of the automatic reuse detection (‘ferrt’ error logs) when enabling refresh token rotation for our mobile iOS application, even with a high leeway time. Here are the details from the tenant logs:

"details": {
    "familyId": "<REDACTED>",
    "tokenCounter": 4,
    "latestCounter": 6
  }

Troubleshooting

  • If tokenCounter is not the latestCounter, then only the previous token can be reused.
  • If the second-to-last one is exchanged, breach detection will be triggered no matter how high the leeway time is.

Solution

A few things you can check that could cause this issue: