Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi! I have the following use case: Login process using authorization code grant flow which provides both an access_token (with TTL: 1h) and a refresh_token (with TTL: 12h)

When I try to get a new access token using the refresh token, after the first access token expired, what happens is:
1. a new access token is generated (with TTL: 1h) 
2. a new refresh token is generated as well  (with TTL: 12h)
3. the initial refresh token which had another 11h (12h -1h) is inactive
What I need to know is:
• Does hydra revoke/invalidate the first refresh token (I’m getting 403 when performing introspection on it)?
• What is the best way to get new access tokens using refresh token? (the docs do not mention how to implement the Refresh Token Flow- <https://oauth.net/2/refresh-tokens/>)
The goal here is to generate 1 access token and 1 refresh token after login and then keep generating new access tokens (after previous one expires) until the initial refresh token is no longer valid forcing user to login again.
Using TTLs above, I want to generate 13 access tokens and only 1 refresh token.

PS: I’m using this Oauth2 lib <https://www.npmjs.com/package/simple-oauth2>

<https://ory-community.slack.com/archives/C02PSRUGUAV/p1663671243392729|Duplicate of this>, please answer there :pray: