OAuth2 specifications list PKCE as an extension to the standard. As you state in your documentation, the refresh token can only be used once. Why is this? I could not find such a recommendation, although the original spec did state that old refresh tokens may be revoked after a new one is issued. So why PKCE specifically, added security?
Granted, refresh tokens can be chained, and the tokens can be used for the full duration, even after consuming the refresh token. But having a single refresh token from which to spawn new tokens is quite practical. For my specific use case: performing automated tests against the Web API with e.g. Travis was possible thanks to generating a user token from the same refresh token over and over again. As PKCE was meant to be an improvement and replacement to the vanilla user authorisation, I'd like to see it being used exclusively, but this refreshing complicates things.
So, are you set on these semantics for PKCE? If so, are you planning on making the case for vanilla user authorisation stricter as well?
Solved! Go to Solution.
You're right that the reason is added security.
The concept that with every refresh, both tokens get renewed and the old ones get invalidated is called 'refresh token rotation.' It prevents leaked refresh tokens from being used to generate access tokens. If an old, compromised refresh token were to be presented to the authorization server, it would notice and invalidate all tokens. Without refresh token rotation, it would not be possible to tell if a refresh token was leaked because both the rightful owner and attacker would be using the same refresh token to generate access tokens.
Refresh token rotation is especially useful with PKCE because PKCE supports browser-based authorization. Browsers can't securely store confidential data, so there is a higher risk that refresh tokens get leaked. Refresh token rotation is surely staying for PKCE. It might take a while for the vanilla authorization flow to adopt this concept though because it would break existing client implementations.
You can find more here https://auth0.com/docs/tokens/refresh-tokens/refresh-token-rotation.