Hello everyone, I have a strange behaviour when I wan't to refresh my Access and ID tokens. Indeed, the refresh token request refresh my ID and access token (which is normal) and the refresh ! In fact the expiration of the refresh is refreshed so the token never expires. Here are some results of the

oauth2/introspect

endpoint and my configuration. I have to add that the duration of tokens in the configuration file are only for testing and that we have the same behaviour with longer duration. hydra version: 1.10.2 First instrospect:

{
    "active": true,
    "scope": "openid offline_access",
    "client_id": "4c7b757c-7c7e-41fc-a74c-744c61002e8d",
    "sub": "a4375067-3bba-4a71-b7ba-1360488ca91b",
    "exp": 1650441205, // 09:53:25
    "iat": 1650440724, // 09:45:24 
    "nbf": 1650440724,
    "aud": [],
    "iss": "https://<myawesomehydraurl>/« ,
    "token_type": "Bearer",
    "token_use": "refresh_token"
}

Second introspect:

{
    "active": true,
    "scope": "openid offline_access",
    "client_id": "4c7b757c-7c7e-41fc-a74c-744c61002e8d",
    "sub": "a4375067-3bba-4a71-b7ba-1360488ca91b",
    "exp": 1650441508, // 09:58:28
    "iat": 1650441027, // 09:50:27
    "nbf": 1650441027,
    "aud": [],
    "iss": "https://<myawesomehydraurl>/",
    "token_type": "Bearer",
    "token_use": "refresh_token"
}

Here you can see that the refresh token should expire at 095325 but when our ID token expires and we refresh it, the second refresh token issued expires at 095828. And this go indefinitly. Hope that you can help me on this 🙂

I think this is known as Refresh Token Rotation and is used for security. Please correct me if im wrong, you can read more here https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation and here https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.13.2

Thanks for your answer, it's seems to be that. I wonder if there is a way to deactivate or to set the duration of rotation ?

Rotation kicks in when you refresh your access token, hence also refreshing the refresh token. So the "duration" would be the expiry of the refresh token? Or did i misunderstand you. I couldnt find anything in the config in terms of deactivating the rotation functionality but i guess one could have a look through the source code and see if theres a flag

So the thing is that you can't master the duration of a session because refresh token refresh themselves.

@User Any insights on this?

Refresh and Access tokens are not sessions! You will not have an easy time using them like sessions. If you look for self-service first-party flows where you have control over session expiration and everything else you can imagine, check out Ory Kratos!

Thank you very much 🙇

Okay I've miss understood the behaviour of token rotation, I'll work with that and it will fit my needs. Thanks or your advices @User @User

Sure, feel free to reach out again if anything else is unclear