Hi! I have the following use case: Login process using authorization code grant flow which provides both an access_token (with TTL: 1h) and a refresh_token (with TTL: 12h) When I try to get a new access token using the refresh token, after the first access token expired, what happens is: 1. a new access token is generated (with TTL: 1h) 2. a new refresh token is generated as well (with TTL: 12h) 3. the initial refresh token which had another 11h (12h -1h) is inactive What I need to know is: • Does hydra revoke/invalidate the first refresh token (I’m getting 403 when performing introspection on it)? • What is the best way to get new access tokens using refresh token? (the docs do not mention how to implement the Refresh Token Flow-https://oauth.net/2/refresh-tokens/) The goal here is to generate 1 access token and 1 refresh token after login and then keep generating new access tokens (after previous one expires) until the initial refresh token is no longer valid forcing user to login again. Using TTLs above, I want to generate 13 access tokens and only 1 refresh token. PS: I’m using this Oauth2 lib https://www.npmjs.com/package/simple-oauth2 (edited)

Why such a short TTL for the refresh token? Are you implementing first-party login? Check out this article, and this one I think the best way to get new access tokens is implemented in your OAuth2 lib.

For security reasons we need to create an access token valid only for 1h and then we can only request further access tokens without logging in again until refresh token expires which is 12h. My questions are quite simple could you please help us? We just need to know how to implement the refresh token flow properly with Ory Hydra.. Refresh token TTL could be 1year and the problem would keep occurring .. The main issue is how can we keep generating access tokens with the same refresh token

you can't use a refresh token more than once, that would be a rather large security hole