RefreshTokenUsage issue

Question

RefreshTokenUsage issue

Closed this issue 2 months ago · 4 comments

Which version of Duende IdentityServer are you using?
7.0.6
Which version of .NET are you using?
.NET 8
Describe the bug

I understand that RefreshTokenUsage default has changed in 7.0.0 and it now defaults to ReUse.

Since we've upgraded we now see in SQL [dbo].[Clients] value changed from 1 to 0 for RefreshTokenUsage after seeding.

Problem that I have is that for us the access token can't be refreshed more than one time with same refresh token since 7.0.0, and it works only if we revert in SQL to back to RefreshTokenUsage 1.

Which is weird since based on enum values I expected the reverse.

public enum TokenUsage
{
    /// <summary>
    /// Re-use the refresh token handle
    /// </summary>
    ReUse = 0,

    /// <summary>
    /// Issue a new refresh token handle every time
    /// </summary>
    OneTimeOnly = 1
}

Previously we were on 6.2.1 using .NET 6 with same value RefreshTokenUsage 1 in SQL (and if I change it to 0 refresh token will fail after first use), so for us the behavior seemed to be reversed since then.

Answer 1 · 2024-09-17T13:09:34.000Z

Do you have any log entries from IdentityServer for the failed refresh attempt? IdentityServer does not convey much information back to the client on errors (for security reasons), but the logs usually contains more details on the failure.

Answer 2 · 2024-09-17T14:26:31.000Z

2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7655220Z","message":"\"7c9a1dff-42f9-40b8-85ad-254ecbbe15e8\" found in database: True","level":"Debug","clientId":"7c9a1dff-42f9-40b8-85ad-254ecbbe15e8","clientIdFound":true,"SourceContext":"Duende.IdentityServer.EntityFramework.Stores.ClientStore","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":17,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7658971Z","message":"client configuration validation for client \"7c9a1dff-42f9-40b8-85ad-254ecbbe15e8\" succeeded.","level":"Debug","clientId":"7c9a1dff-42f9-40b8-85ad-254ecbbe15e8","SourceContext":"Duende.IdentityServer.Stores.ValidatingClientStore","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":17,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7668036Z","message":"Secret validator success: \"HashedSharedSecretValidator\"","level":"Debug","0":"HashedSharedSecretValidator","SourceContext":"Duende.IdentityServer.Validation.ISecretsListValidator","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":17,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7669094Z","message":"Client validation success","level":"Debug","SourceContext":"Duende.IdentityServer.Validation.ClientSecretValidator","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":17,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7676832Z","message":"Start token request validation","level":"Debug","SourceContext":"Duende.IdentityServer.Validation.TokenRequestValidator","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":17,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7680557Z","message":"Start validation of refresh token request","level":"Debug","SourceContext":"Duende.IdentityServer.Validation.TokenRequestValidator","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":17,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7708976Z","message":"Entity Framework Core \"8.0.8\" initialized '\"IdentityServerPersistedGrantDbContext\"' using provider '\"Microsoft.EntityFrameworkCore.SqlServer\":\"8.0.7\"' with options: \"MigrationsHistoryTable=MigrationHistory \"","level":"Debug","version":"8.0.8","contextType":"IdentityServerPersistedGrantDbContext","provider":"Microsoft.EntityFrameworkCore.SqlServer","providerVersion":"8.0.7","options":"MigrationsHistoryTable=MigrationHistory ","EventId":{"Id":10403,"Name":"Microsoft.EntityFrameworkCore.Infrastructure.ContextInitialized"},"SourceContext":"Microsoft.EntityFrameworkCore.Infrastructure","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":17,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7729913Z","message":"Creating DbConnection.","level":"Debug","EventId":{"Id":20005,"Name":"Microsoft.EntityFrameworkCore.Database.Connection.ConnectionCreating"},"SourceContext":"Microsoft.EntityFrameworkCore.Database.Connection","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":17,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7737071Z","message":"Created DbConnection. (0ms).","level":"Debug","elapsed":0,"EventId":{"Id":20006,"Name":"Microsoft.EntityFrameworkCore.Database.Connection.ConnectionCreated"},"SourceContext":"Microsoft.EntityFrameworkCore.Database.Connection","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":17,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7744050Z","message":"Opening connection to database '\"RFE_IdentityDB\"' on server '\"mssql-database.local\"'.","level":"Debug","database":"RFE_IdentityDB","server":"mssql-database.local","EventId":{"Id":20000,"Name":"Microsoft.EntityFrameworkCore.Database.Connection.ConnectionOpening"},"SourceContext":"Microsoft.EntityFrameworkCore.Database.Connection","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":17,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7745741Z","message":"Opened connection to database '\"RFE_IdentityDB\"' on server '\"mssql-database.local\"'.","level":"Debug","database":"RFE_IdentityDB","server":"mssql-database.local","EventId":{"Id":20001,"Name":"Microsoft.EntityFrameworkCore.Database.Connection.ConnectionOpened"},"SourceContext":"Microsoft.EntityFrameworkCore.Database.Connection","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":17,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7747011Z","message":"Creating DbCommand for '\"ExecuteReader\"'.","level":"Debug","executionType":"ExecuteReader","EventId":{"Id":20103,"Name":"Microsoft.EntityFrameworkCore.Database.Command.CommandCreating"},"SourceContext":"Microsoft.EntityFrameworkCore.Database.Command","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":17,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7747742Z","message":"Created DbCommand for '\"ExecuteReader\"' (0ms).","level":"Debug","executionType":"ExecuteReader","elapsed":0,"EventId":{"Id":20104,"Name":"Microsoft.EntityFrameworkCore.Database.Command.CommandCreated"},"SourceContext":"Microsoft.EntityFrameworkCore.Database.Command","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":17,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7751374Z","message":"Initialized DbCommand for '\"ExecuteReader\"' (0ms).","level":"Debug","executionType":"ExecuteReader","elapsed":0,"EventId":{"Id":20106,"Name":"Microsoft.EntityFrameworkCore.Database.Command.CommandInitialized"},"SourceContext":"Microsoft.EntityFrameworkCore.Database.Command","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":17,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7752250Z","message":"Executing DbCommand [Parameters=[\"@__key_0='?' (Size = 200)\"], CommandType='Text', CommandTimeout='30']\"\n\"\"SELECT [p].[Id], [p].[ClientId], [p].[ConsumedTime], [p].[CreationTime], [p].[Data], [p].[Description], [p].[Expiration], [p].[Key], [p].[SessionId], [p].[SubjectId], [p].[Type]\nFROM [PersistedGrants] AS [p]\nWHERE [p].[Key] = @__key_0\"","level":"Debug","parameters":"@__key_0='?' (Size = 200)","commandType":"Text","commandTimeout":30,"newLine":"\n","commandText":"SELECT [p].[Id], [p].[ClientId], [p].[ConsumedTime], [p].[CreationTime], [p].[Data], [p].[Description], [p].[Expiration], [p].[Key], [p].[SessionId], [p].[SubjectId], [p].[Type]\nFROM [PersistedGrants] AS [p]\nWHERE [p].[Key] = @__key_0","EventId":{"Id":20100,"Name":"Microsoft.EntityFrameworkCore.Database.Command.CommandExecuting"},"SourceContext":"Microsoft.EntityFrameworkCore.Database.Command","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":17,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7786629Z","message":"Executed DbCommand (\"3\"ms) [Parameters=[\"@__key_0='?' (Size = 200)\"], CommandType='Text', CommandTimeout='30']\"\n\"\"SELECT [p].[Id], [p].[ClientId], [p].[ConsumedTime], [p].[CreationTime], [p].[Data], [p].[Description], [p].[Expiration], [p].[Key], [p].[SessionId], [p].[SubjectId], [p].[Type]\nFROM [PersistedGrants] AS [p]\nWHERE [p].[Key] = @__key_0\"","level":"Information","elapsed":"3","parameters":"@__key_0='?' (Size = 200)","commandType":"Text","commandTimeout":30,"newLine":"\n","commandText":"SELECT [p].[Id], [p].[ClientId], [p].[ConsumedTime], [p].[CreationTime], [p].[Data], [p].[Description], [p].[Expiration], [p].[Key], [p].[SessionId], [p].[SubjectId], [p].[Type]\nFROM [PersistedGrants] AS [p]\nWHERE [p].[Key] = @__key_0","EventId":{"Id":20101,"Name":"Microsoft.EntityFrameworkCore.Database.Command.CommandExecuted"},"SourceContext":"Microsoft.EntityFrameworkCore.Database.Command","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":21,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7790344Z","message":"Closing data reader to '\"RFE_IdentityDB\"' on server '\"mssql-database.local\"'.","level":"Debug","database":"RFE_IdentityDB","server":"mssql-database.local","EventId":{"Id":20301,"Name":"Microsoft.EntityFrameworkCore.Database.Command.DataReaderClosing"},"SourceContext":"Microsoft.EntityFrameworkCore.Database.Command","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":21,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7791917Z","message":"A data reader for '\"RFE_IdentityDB\"' on server '\"mssql-database.local\"' is being disposed after spending 0ms reading results.","level":"Debug","database":"RFE_IdentityDB","server":"mssql-database.local","elapsed":0,"EventId":{"Id":20300,"Name":"Microsoft.EntityFrameworkCore.Database.Command.DataReaderDisposing"},"SourceContext":"Microsoft.EntityFrameworkCore.Database.Command","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":21,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7793257Z","message":"Closing connection to database '\"RFE_IdentityDB\"' on server '\"mssql-database.local\"'.","level":"Debug","database":"RFE_IdentityDB","server":"mssql-database.local","EventId":{"Id":20002,"Name":"Microsoft.EntityFrameworkCore.Database.Connection.ConnectionClosing"},"SourceContext":"Microsoft.EntityFrameworkCore.Database.Connection","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":21,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7794166Z","message":"Closed connection to database '\"RFE_IdentityDB\"' on server '\"mssql-database.local\"' (0ms).","level":"Debug","database":"RFE_IdentityDB","server":"mssql-database.local","elapsed":0,"EventId":{"Id":20003,"Name":"Microsoft.EntityFrameworkCore.Database.Connection.ConnectionClosed"},"SourceContext":"Microsoft.EntityFrameworkCore.Database.Connection","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":21,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7803311Z","message":"\"13CD6D906EDD7BA120437F26B22C507F41C060CC3AC7848CE312114C98B36D38\" found in database: False","level":"Debug","persistedGrantKey":"13CD6D906EDD7BA120437F26B22C507F41C060CC3AC7848CE312114C98B36D38","persistedGrantKeyFound":false,"SourceContext":"RFERL.Modules.Identity.Core.Services.IdentityServer.MsSqlPersistedGrantStore","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":21,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7815993Z","message":"\"refresh_token\" grant with value: \"F4937C0D2271954B650E69637B9EC971AC94DEB34BD45C74F4C53E5A310B287D-1\" not found in store.","level":"Debug","grantType":"refresh_token","key":"F4937C0D2271954B650E69637B9EC971AC94DEB34BD45C74F4C53E5A310B287D-1","SourceContext":"Duende.IdentityServer.Stores.DefaultRefreshTokenStore","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":21,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7824255Z","message":"Invalid refresh token","level":"Warning","SourceContext":"Duende.IdentityServer.Services.DefaultRefreshTokenService","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":21,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7844378Z","message":"Refresh token validation failed. aborting, TokenRequestValidationLog { ClientId: \"7c9a1dff-42f9-40b8-85ad-254ecbbe15e8\", ClientName: \"CMS RFE\", GrantType: \"refresh_token\", Scopes: null, AuthorizationCode: \"********\", RefreshToken: \"********\", UserName: null, AuthenticationContextReferenceClasses: null, Tenant: null, IdP: null, Raw: [(\"grant_type\": \"refresh_token\"), (\"refresh_token\": \"***REDACTED***\"), (\"client_id\": \"7c9a1dff-42f9-40b8-85ad-254ecbbe15e8\"), (\"client_secret\": \"***REDACTED***\")] }","level":"Warning","details":{"ClientId":"7c9a1dff-42f9-40b8-85ad-254ecbbe15e8","ClientName":"CMS RFE","GrantType":"refresh_token","Scopes":null,"AuthorizationCode":"********","RefreshToken":"********","UserName":null,"AuthenticationContextReferenceClasses":null,"Tenant":null,"IdP":null,"Raw":{"grant_type":"refresh_token","refresh_token":"***REDACTED***","client_id":"7c9a1dff-42f9-40b8-85ad-254ecbbe15e8","client_secret":"***REDACTED***"},"$type":"TokenRequestValidationLog"},"SourceContext":"Duende.IdentityServer.Validation.TokenRequestValidator","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","HttpContext":{"IpAddress":"169.254.1.1","Host":"localhost:18003","Path":"/connect/token","IsHttps":true,"Scheme":"https","Method":"POST","ContentType":"application/x-www-form-urlencoded","Protocol":"HTTP/1.1","QueryString":"","Body":null,"Query":{},"Headers":{"Accept":"application/json","Host":"localhost:18003","Content-Type":"application/x-www-form-urlencoded","Expect":"100-continue","Content-Length":"190"},"Cookies":{},"Device":null,"Browser":" - ","$type":"HttpContextInformation"},"ProcessId":1,"ProcessName":"dotnet","ThreadId":21,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7954331Z","message":"Connection id \"\"0HN6N4EVKP7R1\"\" completed keep alive response.","level":"Debug","ConnectionId":"0HN6N4EVKP7R1","EventId":{"Id":9,"Name":"ConnectionKeepAlive"},"SourceContext":"Microsoft.AspNetCore.Server.Kestrel.Connections","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ProcessId":1,"ProcessName":"dotnet","ThreadId":21,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7960016Z","message":"'\"IdentityServerConfigurationDbContext\"' disposed.","level":"Debug","contextType":"IdentityServerConfigurationDbContext","EventId":{"Id":10407,"Name":"Microsoft.EntityFrameworkCore.Infrastructure.ContextDisposed"},"SourceContext":"Microsoft.EntityFrameworkCore.Infrastructure","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","ProcessId":1,"ProcessName":"dotnet","ThreadId":21,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7961516Z","message":"Disposing connection to database '\"RFE_IdentityDB\"' on server '\"mssql-database.local\"'.","level":"Debug","database":"RFE_IdentityDB","server":"mssql-database.local","EventId":{"Id":20007,"Name":"Microsoft.EntityFrameworkCore.Database.Connection.ConnectionDisposing"},"SourceContext":"Microsoft.EntityFrameworkCore.Database.Connection","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","ProcessId":1,"ProcessName":"dotnet","ThreadId":21,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7962209Z","message":"Disposed connection to database '\"\"' on server '\"\"' (0ms).","level":"Debug","database":"","server":"","elapsed":0,"EventId":{"Id":20008,"Name":"Microsoft.EntityFrameworkCore.Database.Connection.ConnectionDisposed"},"SourceContext":"Microsoft.EntityFrameworkCore.Database.Connection","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","ProcessId":1,"ProcessName":"dotnet","ThreadId":21,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7962604Z","message":"'\"IdentityServerPersistedGrantDbContext\"' disposed.","level":"Debug","contextType":"IdentityServerPersistedGrantDbContext","EventId":{"Id":10407,"Name":"Microsoft.EntityFrameworkCore.Infrastructure.ContextDisposed"},"SourceContext":"Microsoft.EntityFrameworkCore.Infrastructure","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","ProcessId":1,"ProcessName":"dotnet","ThreadId":21,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7962893Z","message":"Disposing connection to database '\"RFE_IdentityDB\"' on server '\"mssql-database.local\"'.","level":"Debug","database":"RFE_IdentityDB","server":"mssql-database.local","EventId":{"Id":20007,"Name":"Microsoft.EntityFrameworkCore.Database.Connection.ConnectionDisposing"},"SourceContext":"Microsoft.EntityFrameworkCore.Database.Connection","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","ProcessId":1,"ProcessName":"dotnet","ThreadId":21,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7963181Z","message":"Disposed connection to database '\"\"' on server '\"\"' (0ms).","level":"Debug","database":"","server":"","elapsed":0,"EventId":{"Id":20008,"Name":"Microsoft.EntityFrameworkCore.Database.Connection.ConnectionDisposed"},"SourceContext":"Microsoft.EntityFrameworkCore.Database.Connection","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","ProcessId":1,"ProcessName":"dotnet","ThreadId":21,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}
2024-09-17 16:21:54 {"timestamp":"2024-09-17T14:21:54.7965496Z","message":"Request finished \"HTTP/1.1\" \"POST\" \"https\"://\"localhost:18003\"\"\"\"/connect/token\"\"\" - 400 null \"application/json; charset=UTF-8\" 157.1731ms","level":"Information","ElapsedMilliseconds":157.1731,"StatusCode":400,"ContentType":"application/json; charset=UTF-8","ContentLength":null,"Protocol":"HTTP/1.1","Method":"POST","Scheme":"https","Host":"localhost:18003","PathBase":"","Path":"/connect/token","QueryString":"","EventId":{"Id":2},"SourceContext":"Microsoft.AspNetCore.Hosting.Diagnostics","RequestId":"0HN6N4EVKP7R1:00000001","RequestPath":"/connect/token","ConnectionId":"0HN6N4EVKP7R1","ProcessId":1,"ProcessName":"dotnet","ThreadId":21,"ThreadName":".NET TP Worker","ElasticApmServiceName":"RFERL_Modules_IdentityServer_UI","ElasticApmServiceVersion":"1.14.0-alpha.22+Branch.develop.Sha.c0c6cd17e112d58cab1199a7cf9f75ae5f842477","ElasticApmServiceNodeName":null,"ElasticApmGlobalLabels":{}}

Answer 3 · 2024-09-17T14:35:56.000Z

ok I found the difference. Our legacy client code for some reason after refreshing the token is additionally calling this revocation endpoint (probably unnecessarily)
/connect/revocation
using
{ { "token", refreshToken }, { "token_type_hint", "refresh_token" } };
I think this code expects to get a new refreshToken every time (which it doesn't with RefreshTokenUsage defaulted to 0 now)

So we either rework our client to always reuse same refreshToken with new default.
Or we change the RefreshTokenUsage back to 1 on our side.

EDIT: do you have any preferred approach? Given that you guys changed default to Reuse in version 7.0.0 I assume is best to use this option on all clients.

Answer 4 · 2024-09-18T11:47:35.000Z

Great to hear that you resolved the issue.

The revocation step is redundant for one-time-use-refresh tokens. Once the refresh token has been used for a client with TokenUsage.OneTimeOnly we revoke the refresh token and issue a new one. For reusable refresh tokens this of course explains why it fails - if the token is revoked it cannot be used again.

Our recommendation is to always use ReUse (hence the new default). The OneTimeOnly was meant to be a protection against token exfiltration for public clients (specifically for single page applications). It turns out that refresh token rotation really doesn't protect against token exfiltration, even though it makes it a bit harder for an attacker. It also turns out that there are always network issues, aborted requests etc. If that happens after the refresh token has bee revoked, but before the client has received the new refresh token there is no way for the client to recover. They have to ask the user to sign in again.

So with a setting that didn't really fix the problem, but caused other issues we decided to change the default. For single page appications we also do not recommend handling any tokens at all in the browser, it should be done serverside using the backend for frontend pattern.