When there are multiple token requests from a combination of the same clientid, user and scopes, the same access token and refresh token are returned for all the token requests until the token expires.
This feature issues a new access token and refresh token for each token request after revoking the existing active token.
Try it out
Add the following configuration within the
<OAuth> tag in the
identity.xml file in
<is_home>/repository/conf/identity to enable issuing a new token per request
If the OAuthTokenGenerator extension point is used, it overrides the value of
RenewTokenPerRequest. Here, the code level changes take precedence over our configuration change. Hence, this configuration will not affect the flow of self-contained access tokens, which by default renew access tokens for every request. This will not affect the flow of the refresh token grant type either, which renews the access token by default, and the refresh token depending on the
RenewRefreshTokenForRefreshGrant configuration in the
Test it out
After enabling the feature, create an OAuth application in the identity server and obtain its Client ID and Client Secret. Now we can generate the tokens by mentioning the password grant type in the cURL command given below.
When you call the above URL for the second time, a new token is generated. As long as it's the same clientID, user, and scopes, a new token is generated regardless of which grant type you use in the second call.
Given below are the responses to the first and the second requests.
You can also introspect the old access token using the following cURL command. You can see that it is inactive now.