Compatibility of refresh token settings: sliding window and one-time use
-
If you have one-time use refresh token, then every time it is used, you get a new refresh token.
If you have a refresh token with a sliding window, every time you use it, its lifetime is extended.
How are these settings compatible?
--
FusionAuth - Auth for devs, built by devs.
https://fusionauth.io -
It's a subtle difference, but one-time use refers to the value of the refresh token, which you use against the /oauth2/token endpoint to get a new access token via the refresh grant.
A sliding window refers to the refresh token itself, which has a unique id which stays the same, even as the value of the refresh token changes.
So if you had a refresh token with a lifetime of 4 hours, a sliding window and one time use configured, you might end up with something like this:
- at creation: id
09cfb961-291a-420f-b5cf-48c5c87a67cc, valueRNhY5yE39t1o2FXKxgyH, lifetime 4 hours - when the RT is presented to the /oauth2/token endpoint 3 hours after creation: id
09cfb961-291a-420f-b5cf-48c5c87a67cc, valueFh95KZLfSMjMNxpR5B4c, lifetime 4 more hours - when the RT is presented to the /oauth2/token endpoint 3 hours later: id
09cfb961-291a-420f-b5cf-48c5c87a67cc, valuebaHneP4s0hBHPEk88GPC, lifetime 4 more hours
More details here: https://github.com/FusionAuth/fusionauth-issues/issues/2925
- at creation: id
