Is there an option to not issue a new refresh token each time an access token is refreshed?
As outlined in RFC6749:
The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token.
Currently, each time I refresh an access token I’m given a new refresh token and new access token. I’d like to keep the same refresh token in use until it is manually revoked. Is this possible?
Thanks!