Skip to content

[OAUTH] [ENHANCEMENT] Implement Refresh Token Rotation #30

New issue
New issue
Open
Open
[OAUTH] [ENHANCEMENT] Implement Refresh Token Rotation#30
@chris-schra

Description

@chris-schra
chris-schra
opened on Sep 19, 2025
  • What: Add refresh token rotation support when config.requireTokenRotation is true
  • Why: Additional security measure - prevents long-term refresh token compromise
  • Current State: Configuration option exists but feature not implemented
  • Implementation Details: 
    // In handleRefreshTokenGrant() after generating new access token:
if (this.config.requireTokenRotation) {
  // 1. Generate new refresh token
  const newRefreshToken = generateRefreshToken();
  // 2. Save new refresh token
  await this.storage.saveRefreshToken(newRefreshToken);
  // 3. Invalidate old refresh token
  await this.storage.deleteRefreshToken(refresh_token);
  // 4. Include in response
  tokenResponse.refresh_token = newRefreshToken.token;
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions