Skip to Content
Former Member
Sep 08, 2018 at 01:04 AM

oAuth Multi Device issue


Using Hybris 6.5 OCC services with oAuth2 extension and we're facing issues with multi-device auth specifically in generating refreshTokens. Please note that the tokens are maintained within the device.

Device 1
- Sends refreshToken to API
- API returns new oauth token with updated refreshToken and accessToken

Device 2
- Sends refreshToken to API
- API returns error "invalid refresh token"

Please note that we don't intend to reuseRefreshToken as shown below.

  # Specifies if new refresh token should be created during refreshing an Access Token
  # reuseRefreshToken = true - old refresh token will be returned, refresh token can be used more than one time
  # reuseRefreshToken = false - new refresh token will be created

I didn't find any configurations that allows OOB configurations to support multi-device auth using the oAuth extension. Is there a way in handling such cases possibly without extending the oauth2 extension? Does oAuth API accept external inputs when generating the tokens so they can be kept unique per device - similar to AuthenticationKeyGenerator in Spring Security oAuth (

The other way I see is both the devices should communicate with each other whenever a refreshToken is generated possibly through events outside of Hybris, but it seems too cumbersome.