ROTATE_REFRESH_TOKEN Known Bug

[hamza-sabri]

I am working with Django Oauth2 on a freelancing project and used the username and password to handle authenticate users.

However, when I tried to refresh the access token I noticed that the refresh_token itself was revoked, and I found on the documentation that we can use ROTATE_REFRESH_TOKEN to disable this behavior.

But, the docs are talking about a known bug that I do not fully understand, why would setting this setting to False because the tokens are to be revoked, I debugged the code locally and didn't see anything that would cause this.

I suspect that the docs could be old, and a bit outdated in that regard, but not sure.

Can someone please explain it to me, and if it is safe to use when going into production or not?

[JordiNeil]

Hi, I just tested that case and is also working fine for me, if I define ROTATE_REFRESH_TOKEN to False inside the OAUTH2_PROVIDER setting. And the refresh token functionality is reusing the same refresh token, and it works for multiple refreshes.

Then I would also guess that the documentation is outdated.
That change was added in this PR and exactly this commit.
The description indicates this issue but for me it doesn't seems to be related