Long Lived Refresh Tokens


#1

Is there an option to not issue a new refresh token each time an access token is refreshed?

As outlined in RFC6749:

The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token.

Currently, each time I refresh an access token I’m given a new refresh token and new access token. I’d like to keep the same refresh token in use until it is manually revoked. Is this possible?

Thanks!


Long-lived OAuth 2 refresh tokens
#2

Hi @carmike, did you find an answer for this?


#3

No, I never did find an answer.


#4

Thanks. I think that I’m going ask again and see if anyone bites.