When it comes to dealing with shitty platforms AI is really the best thing ever. I have had the misfortune of writing automations for Atlassian with their weird handling of refresh keys and had AI not pointed out that Atlassian had the genius idea of invalidating refresh keys after single use, I would have wasted a lot more of my time. For this sort of manual labout, AI is the best tool there is.

▲

verdverm 6 days ago | parent | next [-]

One time use refresh keys is not all that uncommon, probably more so than not, but lots of clients handle that for you

▲

theonething 6 days ago | parent | prev [-]

> invalidating refresh keys after single use

That's called refresh token rotation and is a valid security practice.

▲

another_twist 6 days ago | parent [-]

I know but the RFC doesnt mandate it. https://datatracker.ietf.org/doc/html/rfc6749#section-6

Not sure why Google doesnt do this but Atlassian does.

▲

cropcirclbureau 6 days ago | parent [-]

Google OAuth2 refresh tokens are definitely singe use.

	▲	another_twist 6 days ago \| parent [-]
		Atleast not documented here https://developers.google.com/identity/protocols/oauth2#5.-r.... They have a limit on the number of tokens but not on number of uses per token.