Hi Team,
I'm currently using Jira OAuth 2.0 Authorization Code Flow and I'm trying to understand how rotating refresh tokens work when the same app is authorized multiple times.
Here is what I did:
I authorized the same OAuth 2.0 app twice, which gave me:
refresh_token_1 (from the first authorization)
refresh_token_2 (from the second authorization)
I used refresh_token_1 to get a new access token and refresh token:
I received AccessToken_A and refresh_token_3
So now refresh_token_3 should be used for future refreshes
After some time (more than 10 minutes), I used refresh_token_2 (from the second authorization) to get new tokens:
I received AccessToken_B and refresh_token_4 successfully
Now when I try to use refresh_token_3 (which was generated from refresh_token_1), I get the following error:
{
"error": "unauthorized_client",
"error_description": "refresh_token is invalid"
}
I expected refresh_token_3 to still be valid because it was freshly generated and hadn't used to generate an access token
My questions are:
Why did refresh_token_3 become invalid?
Does using a different refresh token from the same client (like refresh_token_2) revoke the previous refresh token chain?
Is it true that only one refresh token at a time is valid per OAuth client (app) per user session?
Any official guidance or clarification would be very helpful. Thank you!
Hi @gopal guna
I suggest to raise this question on the Developer Community
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.