Seems like kratos currently throws away new refresh tokens when they come in? That's wild. Why store them to begin with. If we make a fork that optionally can handle refresh token changes properly on new logins, Are we maybe just misconfigured?

Hi @modern-eye-74914 I'm not too sure about this, but maybe @great-lamp-81307 has more knowledge about this topic

You probably need Hydra + Kratos for this to work properly.

@modern-eye-74914 You are an OAuth consumer, right? In that case, Kratos stores the tokens and you can retrieve them using the admin API: https://www.ory.sh/docs/kratos/reference/api#operation/adminGetIdentity . Note the

include_credential=oidc

parameter. See https://github.com/ory/kratos/pull/1818 for more details

@able-glass-7253 that is helpful. We are using it as a client and ARE using the initial tokens successfully, but where we are having difficulty is if someone unauthenticates our app from the oidc host side, invalidating the token, and then reauthenticates again. it seems like, in this case, kratos simply throws out the new tokens. Granted this is somewhat rare, but it's totally unrecoverable when it does happen, meaning we can never use these tokens. I suspect this is why they're called "initial" tokens. I understand Hydra exists for this case, but I am also of the opinion that kratos has all the data it needs and a place to store it, it wouldn't be hard for it to do so. Perhaps I am incorrect and we are not using it properly, we are mistaken, or have missed some configuration flag. Thanks for the help!

@modern-eye-74914 Thank you for the details. It seems that this is a known problem and fixing it is one of the goals for Kratos 1.0: https://github.com/ory/kratos/issues/1912

ahah got it! This will be relatively easy i think, 25% chance we will get around to filing a PR for it