CONCEPT Cited by 1 source
Refresh token invalidation¶
Refresh token invalidation is a security mechanism where the OAuth server invalidates an entire token chain (access token + refresh token + any descendant tokens) when it detects that a refresh token has been reused — a potential indicator of token theft.
Mechanism¶
When a refresh token is used to obtain a new access/refresh pair, the old refresh token is marked as consumed. If a request subsequently arrives with the already-consumed token, the server assumes theft (the legitimate client already refreshed, so who else has the old token?) and invalidates the entire chain.
Problem at Scale¶
High-volume clients like CLIs and MCP tools may issue near-simultaneous refresh requests due to network retries or concurrent requests. This triggers false-positive reuse detection, invalidating legitimate sessions (Source: sources/2026-06-24-cloudflare-oauth-for-all).
Mitigation Approaches¶
- Proxy-layer coalescing: Deduplicate refresh requests at the proxy before they reach the OAuth server (see patterns/refresh-token-coalescing).
- Grace period (Ory Hydra 2.x): Allow a configurable window where a refresh token can be retried without triggering chain invalidation.
- Client-side synchronization: Ensure only one refresh request is in-flight at a time (difficult for distributed clients).