How to only obtain access_token using refresh_token generated in authorization code flow?

[minhnd410]

I used authorization code flow to obtain the access token, and refresh token within 3 scopes: openid, offline, and some_defined_scope. I need 2 access tokens for 2 separate services, one has scope openid, and one has some_defined_scope. The thing is, whenever I request access_token, it returns a new refresh_token and invalidates the previous one. Is there any way that I can keep the refresh_token validity in the event of requesting a new access_token?

One more thing, I found out that oauth2/token endpoint does not accept the query param scope, or I have misconfig it somewhere

Step to reproduce:

• Create client

curl -XPOST --data '{
   "audience": ["browser-client"],
   "client_id": "browser-client",
   "client_secret": "browser-secret",
   "grant_types": ["authorization_code", "refresh_token"],
   "response_types": ["code"],
   "scope": "openid offline_access",
   "redirect_uris": ["http://127.0.0.1:5555/callback"],
   "token_endpoint_auth_method": "client_secret_post"
}' http://127.0.0.1:4445/clients | jq '.'

• Request login

curl -XGET http://127.0.0.1:4444/oauth2/auth?response_type=code&client_id=browser-client&redirect_uri=http://127.0.0.1:5555/callback&scope=openid+offline_access&state=xxx

• Accept login

curl --silent -XPUT http://localhost:4445/oauth2/auth/requests/login/accept?login_challenge=xxx -d '{
  "acr": "oauth2",
  "remember": false,
  "remember_for": 0,
  "subject": "mail@mail.com"
}' | jq '.'

• Accept consent

curl --silent -XPUT http://127.0.0.1:4445/oauth2/auth/requests/consent/accept?consent_challenge=xxx -d '{
  "grant_access_token_audience": [
    "browser-client"
  ],
  "grant_scope": [
    "openid", "offline_access"
  ],
  "handled_at": "2020-10-23T20:49:00Z",
  "remember": false,
  "remember_for": 0,
  "session": {
    "id_token": {
      "first_name": "Ha",
      "last_name": "Hahah"
    }
  }
}' | jq '.'

• Obtain access and refresh token

curl -sv -XPOST http://127.0.0.1:4444/oauth2/token --data 'grant_type=authorization_code&code=xxx&redirect_uri=http://127.0.0.1:5555/callback&client_id=browser-client&client_secret=browser-secret'

• Trying to obtain only access token using refresh token but fail

curl -sv -XPOST http://127.0.0.1:4444/oauth2/token --data 'scope=openid&grant_type=refresh_token&refresh_token=xxx&client_id=browser-client&client_secret=browser-secret'

[vinckr]

Hello @minhnd410

No, in Ory, refresh tokens are single-use only.
This means that every time a client uses a refresh token to request new access tokens, a new refresh token is issued, and the previous token is invalidated.
This adds an extra layer of security and makes it more difficult for attackers to use stolen refresh tokens.