On Oct 6, 2020, at 16:05, Aaron Parecki <aa...@parecki.com> wrote: > However that also kind of defeats the purpose since attacks within that grace > period would be hard to detect. I'm looking for an idea of where people have > landed on that issue in practice.
This is effectively a race condition, and a grace period hides your ability to detect the race. Because of the race condition is no guarantee that the second refresh token is the one that is retained, the client could still fail once it needs its next access token. Instead, an ideal system would allow you to make a security exception and turn off rotation, possibly only until the client revises their logic. -DW _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
