Expire the refresh token only after the created authentication token has been used once

[guruz]

Forgive me if I use the wrong terms here, this is something that came up here on Monday in office with @ogoffart and @michaelstingl and @jnweiger and @ckamm

This is to avoid a situation where the reply from the server with the new authentication token gets lost but we can't use the refresh token for a second time because the server already invalidated it.

On usage of the refresh token, the server could create a new authentication token but still keep the refresh token valid to be used again. Only when the new authentication token was used by the client we know that the client properly received the new authentication token and the server can invalidate the fresh token.

[michaelstingl]

@DeepDiver1975 could you shed some light on the matter?

[lefherz]

Could this be related to owncloud/android#2685 ? Not sure if I understand the different tokens correctly, but some refresh tokens seem to have gone missing there. So maybe that's one of the consequences of refresh tokens getting invalidated too early?

[DeepDiver1975]

Refresh token themselves have no expiry (yet).
Refresh tokens do get removed as soon as they are once used to recreate an access token and a new refresh token. (And when the client is removed via the settings .... but this seems to be not the case here)

The described scenarios can only happen in cases where tokens are refreshed but the new refresh token is not properly stored and the old once continues to be used,,,,,