Disable one time use on refresh tokens in Datapower/API Connect OAuth?
We have an OAuth/OIDC service developed in API Connect/Datapower.
When a user requests a new refresh_token - if any unexpected error occurs in the flow, the new refresh_token is not issued, and their existing refresh_token is revoked. This forces the user to go through a new consent flow. This can be problematic if large numbers of customers are affected due to some unexpected error. We would like the old refresh_token to still be valid in this scenario.
We raised this with our IBM support contact - and he said this works as intended (i.e. - it should revoke the old refresh_token as the first action - it is single use, regardless of outcome).
He did suggest that it is possible to configure the refresh_token to be used multiple times until it is revoked/expired.
I am not sure how to do this - or what versions it is supported in. He said '(in 2018.4.1.x)? For v5 gw, use extension to enable it, You will need the latest DP firmware release for the above'. When we asked for some clarity on this - I was basically told to come here...
Does anyone have any more information/experience with enabling a refresh_token to be used multiple times? Or what versions this is supported in (or links to any documentation about this)?
Many Thanks
I would also ask via StackOverflow. I use tags: ibm-datapower, apiconnect, apic. Also any tags for oauth. It's an interesting situation. Good luck.
Thanks for the advice @Hummingtop - I posted here as our IBM enterprise support contact suggested we do this, but I'll try Stack Overflow as a next step (with the tags you suggest, thanks)