0

The server should invalidate the refresh token that has already been used for generating new access token and refresh tokens, however the refresh token can be used multiple times for generating new tokens, without being invalidated, even though the server provides a new refresh token each time the request is triggered. I'm using AzureAD for my application.

I know there is a way to expire refresh tokens that have already been used using Refresh Token Rotation Implementation but is it implementable in AzureAD.

Improve this question

1 Answer 1

Reset to default
1

I'm pretty sure that it is working as they have designed it. The purpose is that you can take the new refresh token and replace the one you have in your cache. If you are running a distributed application, it is a good thing that the current refresh token doesn't immediately stop working since it allows the other instances to keep working while the token is refreshed in another. As far as I am aware, there is no place to change this behaviour.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.