simple_oauth_refresh_token_buffer

Extends the Simple OAuth module by implementing a configurable per-client grace period for the refresh token rotation.

What Problem Does This Solve?

The Simple OAuth module implements refresh token rotation by default. When multiple requests try to refresh tokens using the same refresh token, errors will be encountered due to the refresh token being rotated on the first request.

However in modern web applications there may be multiple independent requests trying to simultaneously refresh the expired token. Without a grace period, this leads to bad user experience and application errors.

Key Features

• Configurable grace period (1-60 seconds) per OAuth2 client
• Seamless integration with Simple OAuth module
• Enterprise-grade solution similar to Auth0 and Okta implementations
• Balanced approach to security and user experience

Example

A frontend application is configured to transparently refresh expired access tokens by using the refresh token grant.
A user comes back after some time and due to the nature of web applications, multiple requests are triggered simultaneously which leads to all of them trying to refresh the expired access token.
Normally, the first request would successfully get new tokens while the other ones would fail due to the refresh token being revoked.

With the enabled refresh token buffer, subsequent refresh attempts within the configured grace period will result in the same token from the first successful request.

This significantly improves the reliability and user experience of your Drupal-powered applications.

Security Note: While this module introduces a configurable grace period similar to major authentication providers like Auth0 and Okta, administrators should carefully consider their security requirements when setting the grace period length. The default value of 30 seconds provides a good balance between security and usability.