Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

In the flow_refresh.go implementation, Refresh Token Rotation must be applied.
But as it is described in <https://www.rfc-editor.org/rfc/rfc6819#section-5.2.2.3|rfc6819>, it will make OAuth Client have to manage more complexity.
```   Note: This measure may cause problems in clustered environments,
   since usage of the currently valid refresh token must be ensured.  In
   such an environment, other measures might be more appropriate.```

For example, in a microservices architecture, one microservice managed other IdP’s Access Token and Refresh Token. And many other microservices get the Access Token and execute their operation independently. In this situation, the microservices that manage token need to introduce an exclusion control that is not necessary for business and it will affect latency.

Of course, it is possible, but I’m not sure the complexity is commensurate with the effect on security that Rotation brings.

<@U02S8T2U8BX> re fosite, please write an issue directly to the GitHub repo describing your approach to token rotation and the  desired solution.

Thank you for your reply!
I will write it on the issue :bow: