Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

does trying to use the same refresh token revoke access?
if use a refresh token, and then try to use it again i get `{'error': 'token_inactive', 'error_description': 'Token is inactive because it is malformed, expired or otherwise invalid. Token validation failed. token_inactive'}`  but then if i try to use the refresh token i got from the first response i `{'error': 'invalid_grant', 'error_description': 'The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The refresh token has not been found: not_found'}`

Hydra keeps a record of issued refresh tokens. There is only one active refresh token (the last one issued). Re-using a refresh token will fail and interpreted as a replay attack. As a consequence all tokens belonging to the session (also access tokens) will be invalidated and the user will be logged out.
<https://www.ory.sh/docs/hydra/debug#refresh-token-flow-fails>