Layer7 API Management

Hi Team,

Do we have any configuration for how many times can we use a refresh token.

I am using grant type = password. 

I get a access token and refresh token ,I am using the refresh token to get a new access token .

I want to block the user if he uses the refresh token for more than 2  times.

Then you may need to customize the token endpoint, maybe this could work -- add a quota assertion under the refresh token branch, using client_id as custom Counter ID.

By default is it 1 time?

It depends... by default, each time you refresh token, it returns new access token and new refresh token.

If you're talking about old refresh token, it only available one time. But from client side, there is no limitation, you can always refresh as soon as the refresh token is not expired.

Thanks

I see the same refresh token generating all the time only access token is changing.

Can you please clarify?

Then you must have otk 4.1 or above, the refresh token reuse is introduced since otk4.1, but still, by default, it's for one time use only.

Release Notes - CA API Management OAuth Toolkit - 4.1 - CA Technologies Documentation 

You can configure the behavior as per Token Configuration - CA API Management OAuth Toolkit - 4.1 - CA Technologies Documentation