Grace period for single-use refresh tokens

This option has security impact! Configuring a grace period weakens the single-use property of refresh tokens. If a grace period is not strictly necessary, it is not recommended to use this option.

Enabling single-use refresh tokens allows to optionally configure a grace period. The grace period is a duration in seconds during which an already used refresh token might be used again for another refresh.

This option may be used if the OAuth 2.0 client might not be able to receive the response of a token refresh request (e.g. mobile apps losing connection). Normally, the provided refresh token is invalidated in this case, leaving the client without valid tokens. By configuring a grace period, such a client is able to reuse an already used refresh token within the configured time (called grace period) as long as the previously issued new tokens have not been used. If a refresh token is used to obtain several new token pairs, only the most recent new token pair is valid. It is recommended to set the grace period as short as possible. If the client may not able to retry within a defined period of time, the grace period can also be set to the refresh token validity duration. While single-use tokens generally lead to fewer active tokens per user in the database, enabling the grace period will roughly double the number of active tokens. However in comparison to not enabling single-use tokens, the number of active tokens is still much lower.