Dear IAM experts,

Our FTS services at CERN have observed that refresh tokens given via the urn:ietf:params:oauth:grant-type:token-exchange grant type are single-shot. Whilst the FTS software handles this, the overall WLCG protocol is very fragile. If an FTS server loses track of a refresh token then it can no longer refresh the associated access token.

Can IAM be configured to exchange access-tokens for refresh-tokens that can be used multiple times until their expiration timestamp?

Regards,

Steven Murray - FTS Service Manager at CERN

Hi, there exists an option to reuse the refresh tokens until the expiry date. If you go to the Tokens section of the client configuration in the IAM dashboard, you can easily change it. You need to check the Reuse refresh token box.

Hi,
This is great news! I will relay the information to the https://atlas-auth.web.cern.ch/ service here at CERN.
Regards,
Steve

Closing the issue as the Reuse refresh token box checked should have been fixed the issue.