Refresh tokens are no longer reusable. This is done
by setting the client sessions timestamp when a new refresh
token is issued. If the refresh tokens iat value is less than
the client sessions timestamp it's not permitted.
If anyone has time I'd appreciate a review of the changes:
https://github.com/keycloak/keycloak/pull/1732
For anyone that runs into issues with this policy there's
an option to disable it in the admin console in the realms
token settings.
This does not apply to offline tokens (at least yet). We
need to add it to offline tokens as well though as it's even
more important for those. There's two problems with offline
tokens though, firstly the setTimestamp is not permitted on
offline client sessions. Secondly if we allow setting it we
would have to persist it, unless someone can come up with
something clever.