Reusing Refresh Tokens By Default
Historically, IdentityServer could either issue reusable refresh tokens or enforce refresh token rotation. The default value was “rotate” which can often lead to problems. In IdentityServer 7.0, we made the decision to change the default behavior of refresh tokens so that they would be reusable by default. In this blog post, we’ll describe refresh tokens and their security in detail and explain why we made this choice.