It's a subtle difference, but one-time use refers to the value of the refresh token, which you use against the /oauth2/token endpoint to get a new access token via the refresh grant.
A sliding window refers to the refresh token itself, which has a unique id which stays the same, even as the value of the refresh token changes.
So if you had a refresh token with a lifetime of 4 hours, a sliding window and one time use configured, you might end up with something like this:
- at creation: id
09cfb961-291a-420f-b5cf-48c5c87a67cc
, valueRNhY5yE39t1o2FXKxgyH
, lifetime 4 hours - when the RT is presented to the /oauth2/token endpoint 3 hours after creation: id
09cfb961-291a-420f-b5cf-48c5c87a67cc
, valueFh95KZLfSMjMNxpR5B4c
, lifetime 4 more hours - when the RT is presented to the /oauth2/token endpoint 3 hours later: id
09cfb961-291a-420f-b5cf-48c5c87a67cc
, valuebaHneP4s0hBHPEk88GPC
, lifetime 4 more hours
More details here: https://github.com/FusionAuth/fusionauth-issues/issues/2925