Refresh Token Rotation for Enhanced Security

Refresh Token Rotation

Refresh token rotation is a security mechanism where the authorization server issues a new refresh token every time the client uses one. The old refresh token is invalidated immediately. If an attacker steals a refresh token and tries to use it after the legitimate client has already rotated it, the server detects the reuse and revokes the entire token family.

How It Works

1. Initial Token Response: The client receives an access_token and a refresh_token (RT1).

2. Access Token Expires: After expires_in seconds, the access token is no longer valid.

3. Refresh Request: The client sends RT1 to the /token endpoint with grant_type=refresh_token.

4. New Tokens: The server returns a new access_token AND a new refresh_token (RT2). RT1 is now invalidated.

5. Repeat: Each refresh exchanges the current refresh token for a new pair.

Token Request

POST /token HTTP/1.1
Host: auth.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
&refresh_token=tGzv3JOkF0XG5Qx2TlKW...
&client_id=s6BhdRkqt3

Reuse Detection

If RT1 is used again after RT2 has been issued, the server knows a compromise has occurred:

Event	Server Action
RT1 used to get RT2	Normal — issue new tokens
RT2 used to get RT3	Normal — issue new tokens
RT1 reused	Compromise detected — revoke all tokens in the family

Benefits

• Limits exposure window: Even if a refresh token is stolen, it becomes invalid after the legitimate client uses it next
• Detects compromise: Token reuse signals a potential attack
• Supports long sessions: Users stay logged in without re-authenticating, while maintaining security

Implementation Notes

• Store refresh tokens server-side with a "token family" identifier
• When reuse is detected, revoke all tokens in the family and force re-authentication
• Set absolute maximum lifetimes on refresh tokens (e.g., 30 days)
• Combine with short-lived access tokens (e.g., 5-15 minutes)