Refresh Token Rotation: how to enable it?

[aldbr]

Hello,

Does Indigo IAM implement the refresh token rotation mechanism?
From what I heard it does, but I haven't found any documentation about it.

If it is the case, could you point me to some documentation to enable it, please?

Thanks

[federicaagostini]

Hello, for now IAM does not implement the refresh token rotation mechanism (thus, there is no documentation about that).

As far as I know, RT rotation would break the oidc-token command when asking for an access token.
In fact, the oidc-gen command registers a new client and triggers an authorization code flow including the offline_access scope in order to request a RT. Then, the RT is stored locally together with the oidc-agent configuration, and any time one runs the oidc-token command it triggers a refresh token flow.

Anyway, the RT rotation is mandatory in the OAuth 2.1 draft and we can think about implementing it at some point.

[aldbr]

Auth0 seems to propose the refresh token rotation mechanism as an option that can be toggled on and off through an interface: https://auth0.com/docs/secure/tokens/refresh-tokens/configure-refresh-token-rotation.

This could be considered:

• users passing directly through the REST interface could enable it
• users using the oidc-agent could disable it