Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello, my team and I have run into issues with the one-time-use nature of `refresh_token` and after looking at various issues in GitHub it appears we are not alone.

I've started a fork of both `fosite` and `hydra` to introduce a configuration variable to disable one-time use refresh tokens and would like to get a first pass of my changes. Draft PR <https://github.com/ory/fosite/pull/632|here>

Official name for this feature is Refresh Token Rotation as per <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.13.2>.
Having it off is kinda dangerous for public clients, but I see how it can be useful. I would probably go for `oauth2.refresh_token_rotation.enabled`. This is also something I would consider making per-client.

Great idea! Thank you - it's been changed.