Feature: Graceful refresh token

[Thumimku]

Purpose

Public Issue: wso2/product-is#27820

Add docs for the feature

IS Doc

Asgardeo Doc

[coderabbitai]

Warning

Review limit reached

@Thumimku, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 19 minutes and 14 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: b1ed3c3f-99f1-4b2b-a63b-fc5409dec55b

📥 Commits

Reviewing files that changed from the base of the PR and between 5b855c3 and 2c56eef.

📒 Files selected for processing (1)

• en/includes/guides/fragments/manage-app/oidc-settings/refresh-token.md

📝 Walkthrough

Walkthrough

This PR expands OIDC refresh token documentation by adding a new "Graceful refresh token rotation" section that details grace window configuration parameters, product-specific constraints, WSO2 server configuration examples, and runtime token replay and invalidation behavior.

Changes

OIDC Refresh Token Rotation Configuration

Layer / File(s)	Summary
Graceful refresh token rotation configuration and runtime behavior en/includes/guides/fragments/manage-app/oidc-settings/refresh-token.md	New subsection documents grace window validity period, reuse limits, and product-specific constraints for Asgardeo and WSO2 (with deployment.toml example). Includes runtime rules governing token replay during grace window, window closure timing, and conditions returning 400 invalid_grant.

Suggested labels

Team/API Access Mgt & Authorization

Suggested reviewers

• himeshsiriwardana
• ashanthamara

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is incomplete, missing required sections: Test environment and Security checks are not addressed; Purpose section lacks detail beyond linking the issue.	Add Test environment details and complete all Security checks checkboxes. Expand Purpose with more context about what the documentation covers and why it's needed.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding documentation for the graceful refresh token feature described in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (1)

en/includes/guides/fragments/manage-app/oidc-settings/refresh-token.md (1)

34-34: 💤 Low value

Consider rephrasing for directness.

The constraint "This period cannot extend beyond" uses a negative construction. As per coding guidelines, prefer direct statements.

✍️ Optional revision

-The number of seconds the previous refresh token remains usable after rotation. This period cannot extend beyond the refresh token's absolute expiry time set by **Refresh token expiry time**.
+The number of seconds the previous refresh token remains usable after rotation. The period ends at the refresh token's absolute expiry time set by **Refresh token expiry time**, whichever comes first.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@en/includes/guides/fragments/manage-app/oidc-settings/refresh-token.md` at
line 34, Rewrite the sentence about refresh-token rotation to use a direct
positive construction: replace "This period cannot extend beyond the refresh
token's absolute expiry time set by **Refresh token expiry time**." with a
concise statement such as "This period ends no later than the refresh token's
absolute expiry time (set by **Refresh token expiry time**)." Update the
fragment that begins "The number of seconds the previous refresh token remains
usable after rotation." so the two lines read clearly together and avoid
negative phrasing.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@en/includes/guides/fragments/manage-app/oidc-settings/refresh-token.md`:
- Line 63: Fix the formatting and typos in the sentence starting "Replay inside
the grace window .": remove the extra space before the period (make "grace
window.") and collapse the double space between "new  refresh token" to a single
space ("new refresh token"); ensure the rest of the sentence remains unchanged
(mentions RT0, RT1, and that the most recent replay wins) so the updated line
reads with correct spacing and punctuation.
- Line 29: The sentence in the "Renew refresh token" paragraph uses passive
voice ("a client that never received... would normally be forced to
re-authenticate"); rewrite it in active voice so the subject performs the
action—for example, change the clause around "a client that never received the
newly issued refresh token... would normally be forced to re-authenticate" to an
active construction that names the actor (e.g., "the server forces the client to
re-authenticate" or "the client must re-authenticate") while keeping the
explanation of how "Graceful refresh token rotation" preserves the previous
token for a short grace window; update the sentence containing the phrases
"Renew refresh token" and "Graceful refresh token rotation" accordingly to
maintain meaning and clarity.
- Line 31: Remove the extra consecutive blank line(s) in the markdown file
refresh-token.md so that only a single blank line separates paragraphs/sections
(fix the MD012 lint issue); edit the fragment in
en/includes/guides/fragments/manage-app/oidc-settings/refresh-token.md and
collapse multiple blank lines into one where they occur.
- Line 68: The file is missing a trailing newline at EOF; add a single newline
character after the final token "{% endif %}" so the file ends with exactly one
blank line (complying with MD047 linting rules).
- Line 24: Add a blank line above the heading "#### Graceful refresh token
rotation" to satisfy MD022 linting; locate the heading in the
manage-app/oidc-settings fragment (the line containing "#### Graceful refresh
token rotation") and insert a single empty line immediately before it so the
heading is separated from the previous paragraph or element.
- Around line 63-66: Define the abbreviations RT0 and RT1 on first use in the
refresh-token.md fragment: add a brief parenthetical or sentence before the
bullet list that explains RT0 = "original refresh token" (or "previous refresh
token") and RT1 = "rotated/new refresh token" so every subsequent bullet (e.g.,
the lines referencing "Replay inside the grace window", "Using the new refresh
token closes the grace window", "Reuse limit", and "Grace window expiry") is
clear; you can either insert a one-line notation above the list or expand the
first occurrence in the first bullet to read "RT0 (original refresh token)" and
"RT1 (rotated refresh token)".

---

Nitpick comments:
In `@en/includes/guides/fragments/manage-app/oidc-settings/refresh-token.md`:
- Line 34: Rewrite the sentence about refresh-token rotation to use a direct
positive construction: replace "This period cannot extend beyond the refresh
token's absolute expiry time set by **Refresh token expiry time**." with a
concise statement such as "This period ends no later than the refresh token's
absolute expiry time (set by **Refresh token expiry time**)." Update the
fragment that begins "The number of seconds the previous refresh token remains
usable after rotation." so the two lines read clearly together and avoid
negative phrasing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: e04a7f83-bce3-498c-95f7-9d7857d8f4aa

📥 Commits

Reviewing files that changed from the base of the PR and between 8c4c516 and 5b855c3.

📒 Files selected for processing (1)

• en/includes/guides/fragments/manage-app/oidc-settings/refresh-token.md

[hwupathum]

IMO, we should have a single title for graceful refresh token rotation and add others as subtitles under it

[Thumimku]

I also looked for that, but in current doc format we don't have a place to put it, the one comes close is IAM Concepts, there also we need to have a section called Tokens then it can have Access Token and Refresh Tokens