Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I am looking at this test case <https://github.com/ory/hydra/blob/master/oauth2/fosite_store_helpers.go#L185-L212> and I see that it stores multiple sessions with same request ID, is this really valid? shouldn't request IDs be unique? especially because fosite store interface has `RevokeAccessToken` and `RevokeRefreshToken` which operate based on request ID, so then they can revoke multiple tokens?

Yes, revokation revokes the whole request chain as per spec

but isn't there always just one token per (request ID, token type)?