Refresh Token expires earler then should be OAuth 2.0

0
votes

We have C# on server side, and mobile apps, on server side we have set refresh token expiration time to be 30 days,

"AbsoluteRefreshTokenLifetime": 2592000

On mobile side, every time when we open the app, because we have only stored refresh token, and because access token is empty, we send a call which returns 401 and after that we are refreshing our tokens and continue with new ones, and after 30 days when refresh token expires, we show dialog that session has been expired, and send users to login screen, to make a new login request. But recently we have started to get feedbacks from mobile clients that they have started to see that session expired dialog earler then 30 days, just about 13-14 days. Is it possible that because we are requesting new refresh tokens every time when app is opened, some day, server revokes all takens making them invalid? What else can be the reason of this issue?

1
androidiosoauth-2.0
what is the identity provider you use ? Does users are allowed to change their password outside your applications ? - Kavindu Dodanduwa
identity server 3, yes but it doesnt revoke the refresh token - Narek Simonyan
Are you sure that this is not caused by user changing a password ? Usually identity provider could revoke issued tokens if such happened - Kavindu Dodanduwa
yes, I checked it, on web when we change on mobile still working with that token - Narek Simonyan
@KavinduDodanduwa, we have found few logs with error messages - Narek Simonyan

1 Answers

0
votes

Could be refresh token usage setting,

RefreshTokenUsage setting - OneTime vs ReUse

According to identity server documentation, a refresh token can be one time use or reusable.

If it's reusable (ReUse), same refresh token will be valid for token refreshing (till it get expires).

But if its one time (OneTime) use, refresh token get invalidated as soon as you use it.

Now in the latter case, your application must do token refresh in a thread safe manner. There shouldn't be race conditions so that a refresh call would use old/used refresh token. So check this setting as well as check for race conditions

is there any tool which can be used to understand expiration time for refresh token and to read other info

Identity providers do not allow that (at least the ones I have seen). Refresh token settings are controlled by identity server configurations. So check deployment settings. For example, it could be a configuration issue related to AbsoluteRefreshTokenLifetime and SlidingRefreshTokenLifetime as mentioned in documentation