Option to NOT revoke refresh tokens?

[groe]

I use access and refresh tokens to authenticate mobile apps accessing an API server. The goal is to do the login with username/password once, then only keep access and refresh tokens on the client, which can be reissued again and again. The access tokens expire after a few hours and clients use the refresh token flow to receive a new access token. Most of the time that works perfectly well.

However, since these are mobile clients they often have unreliable internet connectivity. Sometimes they submit the refresh token request, the server receives it, generates a new access/refresh token pair and sends it back to the client, which... never receives it. So the client will retry the refresh token request, but it will fail because the original refresh token has been revoked when the new one was issued. As a result, the client is completely logged out and the user has to reauthenticate by entering username / password.

According to the spec the authorization server MAY revoke the old refresh token after issuing a new refresh token to the client.

It would be great if there was an option to not revoke refresh tokens when refreshing, e.g. like this

Doorkeeper.configure do
  use_refresh_token revoke_on_refresh: false
end

Any thoughts?

[tute]

You want this PR merged in: #769. In this scenario, the previous refresh token wouldn't get revoked, until the new one is used once.

[tute]

Closing in favor of PR. Thanks for reporting.