Hi Team,
I’m currently using Jira OAuth 2.0 Authorization Code Flow and I’m trying to understand how rotating refresh tokens work when the same app is authorized multiple times.
Here is what I did:
- I authorized the same OAuth 2.0 app twice, which gave me:
-
refresh_token_1 (from the first authorization) -
refresh_token_2 (from the second authorization)
- I used refresh_token_1 to get a new access token and refresh token:
-
I received AccessToken_A and refresh_token_3 -
So now refresh_token_3 should be used for future refreshes
- After some time (more than 10 minutes), I used refresh_token_2 (from the second authorization) to get new tokens:
-
I received AccessToken_B and refresh_token_4 successfully
Now when I try to use refresh_token_3 (which was generated from refresh_token_1), I get the following error:
{
“error”: “unauthorized_client”,
“error_description”: “refresh_token is invalid”
}
I expected refresh_token_3 to still be valid because it was freshly generated and hadn’t used to generate an access token
My questions are:
- Why did refresh_token_3 become invalid?
- Does using a different refresh token from the same client (like refresh_token_2) revoke the previous refresh token chain?
- Is it true that only one refresh token at a time is valid per OAuth client (app) per user session?
Any official guidance or clarification would be very helpful. Thank you!