Difference between Refresh Token Reuse Interval and Token Generated in Future Leeway

This article details the difference between the Refresh Token Reuse Interval and Token Generated in Future Leeway, as well as the maximum values for these features.

• Refresh Token Reuse Interval
• Token Generated in Future Leeway

1. Refresh Token Reuse Interval.

• • This is when a Refresh Token can be reused to request new access tokens. The maximum value for this is 2592000 seconds (30 days).

2. Token Generated in Future Leeway:

• • Refers to the acceptable time difference allowed for tokens issued in the future due to clock skew between servers. The Leeway for tokens generated in the future is typically much smaller, and there is a limit of maximum Leeway of 60 seconds.

Therefore, the Reuse Interval and the Leeway are not the same, and they serve different purposes in the token's lifecycle management.

For example:

There is a Rotating refresh token RT1, which has 60 seconds Leeway now. When trying to get new access tokens using RT1, it is getting back RT2 and AT2.

Within the 60 seconds Leeway, it is also possible to get RT3 and AT3 using RT2. 

• RT1 - First generation
• RT2 - Second generation
• RT3 - Third generation (the current generation)

The Leeway applies only to the previous generation - which is RT2 at the moment. Within the Leeway window, RT2 will work. This is referred to as second-to-last in the documentation.

However, RT1 will not work now, even if it is still inside the Leeway - because it is from an older generation. If it is reused, all other RTs will be invalidated as well.

At any moment: 

• Inside the Leeway, current and previous-generation RTs will work.
• After the Leeway, only current-generation RTs will work.