We've had OAuth2 running successfully for a while now, but we're finding that mobile applications have frequent problems with the refresh flow where a refresh request is made, but the network connection fails before the new AT/RT pair is received, leading to a "lost grant".
In server-logs we can see that the token has been refreshed, and a new RT issued, but the client is stuck with the old invalidated RT. This problem has been reported by two separate client applications, both of whom are using a retry-mechanism for API requests since they expect an unreliable network connection. Does anybody have any guidance on this issue, or is there any work in an extension to address the issue of lost grants for token refreshes? -- Q. How many members of a demographic group does it take to perform a specified task? A. A finite number; one to perform the task, and the remainder to act in a manner stereotypical of the group in question.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
