Problem
OAuth refresh token rotation currently creates a new OAuthToken document on every successful refresh. The previous token is disabled, but it remains in the oauth-tokens index. I did not find a cleanup path for expired or disabled OAuth token documents except deleting all tokens for a user.
This means active OAuth grants can grow the oauth-tokens index indefinitely over time. It also makes grant-family operations more fragile because revocation currently pages grant-family tokens with a fixed limit.
Current behavior
- Authorization code exchange creates an
OAuthToken document.
- Refresh finds the token by
RefreshTokenHash.
- The spent token is disabled.
- A new
OAuthToken document is created with the same GrantId.
- Disabled/spent token documents are retained indefinitely unless the user is deleted or all user tokens are removed.
Desired outcome
Add cleanup or compaction so rotated OAuth token records do not grow forever.
A reasonable policy would be:
- Keep the active token for each grant.
- Remove disabled/spent OAuth token records once they are no longer needed.
- If spent refresh-token hashes are retained for replay detection, only keep them until the relevant refresh-token expiry plus a small safety window.
- Ensure grant revocation and the user's OAuth grants UI continue to work correctly even after old rotated rows are cleaned up.
Notes
Once a token has been refreshed, the old access token is no longer useful. The only possible reason to retain the old row is refresh-token replay detection because the old row may still contain the spent refresh-token hash. If we want that protection, retention should be bounded by RefreshExpiresUtc, not indefinite.
Acceptance criteria
- Expired disabled OAuth token documents are cleaned up or compacted automatically.
- Cleanup is safe for refresh-token replay detection, or the product explicitly accepts not retaining spent refresh-token hashes.
- A grant that refreshes frequently does not accumulate unbounded token documents.
- Grant-family revocation remains reliable even for long-lived/high-refresh grants.
- Add focused tests for refresh rotation plus cleanup behavior.
Problem
OAuth refresh token rotation currently creates a new
OAuthTokendocument on every successful refresh. The previous token is disabled, but it remains in theoauth-tokensindex. I did not find a cleanup path for expired or disabled OAuth token documents except deleting all tokens for a user.This means active OAuth grants can grow the
oauth-tokensindex indefinitely over time. It also makes grant-family operations more fragile because revocation currently pages grant-family tokens with a fixed limit.Current behavior
OAuthTokendocument.RefreshTokenHash.OAuthTokendocument is created with the sameGrantId.Desired outcome
Add cleanup or compaction so rotated OAuth token records do not grow forever.
A reasonable policy would be:
Notes
Once a token has been refreshed, the old access token is no longer useful. The only possible reason to retain the old row is refresh-token replay detection because the old row may still contain the spent refresh-token hash. If we want that protection, retention should be bounded by
RefreshExpiresUtc, not indefinite.Acceptance criteria