You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: en/includes/guides/fragments/manage-app/oidc-settings/refresh-token.md
+5-4Lines changed: 5 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,6 +8,7 @@ By default, whenever the refresh token is exchanged for a new access token, {{pr
8
8
If you select the **Renew refresh token** option, each time the refresh token is exchanged for a new access token, {{product_name}} invalidates the existing refresh token and issues a new refresh token.
9
9
10
10
{% if product_name == "Asgardeo" or (product_name == "WSO2 Identity Server" and is_version > "7.2.0" ) %}
11
+
11
12
#### Extend expiry time of renewed refresh token
12
13
13
14
!!! note
@@ -21,13 +22,13 @@ When you set this configuration to `false`, renewed refresh tokens carry the rem
21
22
This option specifies the validity period of a refresh token in seconds. The default value is 86400 seconds.
22
23
23
24
{% if product_name == "Asgardeo" or (product_name == "WSO2 Identity Server" and is_version > "7.3.0") %}
25
+
24
26
#### Graceful refresh token rotation
25
27
26
28
!!! note
27
29
This option is only applicable when **Renew refresh token** is enabled.
28
30
29
-
When **Renew refresh token** is enabled, a client that never received the newly issued refresh token (for example, due to a dropped network connection) would normally be forced to re-authenticate. Enabling **Graceful refresh token rotation** lets the previous refresh token remain usable for a short, configurable grace window after it has been rotated, so the client can recover without interrupting the user session.
30
-
31
+
When **Renew refresh token** is enabled, if a client never receives the newly issued refresh token (for example, due to a dropped network connection), the server forces the client to re-authenticate. Enabling **Graceful refresh token rotation** lets the previous refresh token remain usable for a short, configurable grace window after rotation, so the client can recover without interrupting the user session.
31
32
32
33
#### Graceful refresh token rotation validity period
33
34
@@ -60,9 +61,9 @@ The maximum allowed reuse limit on Asgardeo is **5**.
60
61
61
62
The following runtime rules apply during the grace window:
62
63
63
-
-**Replay inside the grace window.** If the client replays the old refresh token (RT0) inside the grace window, {{product_name}} issues a new access token and a new refresh token, and revokes the previously issued rotated token (RT1). Only one child of the parent token is honoured at a time; the most recent replay always wins.
64
+
-**Replay inside the grace window.** If the client replays the old refresh token (RT0, the original token) inside the grace window, {{product_name}} issues a new access token and a new refresh token, and revokes the previously issued rotated token (RT1, the replacement token). Only one child of the parent token is honoured at a time; the most recent replay always wins.
64
65
-**Using the new refresh token closes the grace window.** Once the client successfully uses the rotated token (RT1), the previous gracefully-rotated token (RT0) is immediately revoked. Any subsequent attempt to replay RT0 returns `400 invalid_grant`.
65
66
-**Reuse limit.** If the old refresh token is replayed more times than the configured limit within the window, further replays return `400 invalid_grant`.
66
67
-**Grace window expiry.** If the old refresh token is replayed after the validity period has elapsed, the request returns `400 invalid_grant`.
0 commit comments