Long Lived Refresh Tokens

carmike · March 9, 2018, 5:36pm

Is there an option to not issue a new refresh token each time an access token is refreshed?

As outlined in RFC6749:

The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token.

Currently, each time I refresh an access token I’m given a new refresh token and new access token. I’d like to keep the same refresh token in use until it is manually revoked. Is this possible?

Thanks!

dave-shawley · March 12, 2019, 7:53pm

Hi @carmike, did you find an answer for this?

carmike · March 13, 2019, 1:40am

No, I never did find an answer.

dave-shawley · March 13, 2019, 3:15pm

Thanks. I think that I’m going ask again and see if anyone bites.

Topic		Replies	Views
Long-lived OAuth 2 refresh tokens Questions	0	515	March 13, 2019
OAuth 2 Enhancements Questions	2	504	October 1, 2019
Kong How to implement refresh token using openid plugin?	3	425	March 30, 2023
Refresh Token in oauth2 plugin Questions	6	544	October 6, 2021
About the Oauth2 Module Questions	1	359	July 11, 2021

Long Lived Refresh Tokens

Related Topics