Refresh Token Rotation Implementation Questions

Question

Recently I have been reading about RTR (Refresh Token Rotation). After going over many blogs, docs, and various StackOverflow answers, I didn't find an appropriate solution for a couple of questions.

1. Refresh tokens are meant to be long-lived tokens but in the RTR case scenario where every time an access_token is demanded a new refresh token is granted with it revoking the old refresh token, will the RTR token life span be any shorter compared to a non-RTR token?
2. A StackOverflow Question point 2 Refresh token family should have some common characteristics so when reuse is detected it can revoke the family. The answer says In some Identity Server you will have some sort of consent object saved and tokens related to this consent object. Assuming a user logs in via multiple places X and Y and has the same audience, website, and same consent object what characteristics should be applied to categorize the refresh token family for X and Y?
3. After the token rotation there is a grace period as mentioned here in case the user comes back with the old token due to some issue, in this case, do we issue a new refresh token and revoke the one granted before with the old one or do we pass on the new refresh token we just created earlier?

Can someone please guide me here, Thank You.

Answer 1

To answer your questions

1. The one-time refresh token approach will give you a new refresh token every time it is used. But you don't refresh it for each access token usage. The token still has a custom lifetime of your choosing. can be 5 minutes, 1 hour or 1 week. The big idea of rotation is to make it harder for a hacker to also use the same refresh token. If the token is used by both the hacker and you, then you are automatically signed-out.

2. In the implementations that I have used, you typically only keep the latest received refresh token in the client, so if two different ones are issued, you only keep the latest one.

In general these questions are a bit "it depends" and I guess they all handle this slightly different.

if we look at the database table for IdentityServer, we see that it also contains a SessionID, so if you do login multiple times, you will get separate tokens, as the session is different.