Using a refresh token does not return a new refresh_token

When I use the Generate and Validate Tokens endpoint with an Authorization Grant Code, the endpoint returns a refresh_token and id_token among other things.

When the id_token expires, I can use the refresh_token to create a new one.

However, when I use the refresh token on this endpoint, it doesn't return a new refresh_token. Why is that?
Hi, did you solve the issue?
I'm getting the same problem... when validating a refreshtoken I get a tokenResponse with accesstoken and without refreshtoken. It seems reasonable except when I try to validate again the same refreshtoken I receive an "invalid_grant" error
Yeah I'm getting the same issue too. It's frustrating because I looked through and am posting everything as Apple wants:
Code Block
{
grant_type: 'refresh_token',
refresh_token: myRefreshToken,
redirect_uri: myRedirectUri,
client_id: myClientId,
client_secret: mySecretToken,
}

and it doesn't send back a new refresh_token in its response. And I also tried using the accessToken that's returned in the response and get a 400 error status code. I really don't know what I'm doing wrong if I'm missing something, or if Apple just has an error there.

Because the original refresh token never expires, you can use it over and over until user revokes acces to app or changes password

Original refresh token never expires, agreed. But it can be invalidated by making changes to user profile. After such user actions, Apple will return invalid_grant. So far so good. But why is there a throttle limit of one request per day. Moreover access token issued by Apple expires in 3600 seconds.

I would really like an answer to this last question.

If the idea is that our API server gets a refresh + access token, then passes the access token to the (user side) app client, which they then use as a bearer token to access resources on the API server (at least, I think this is what is implied by the rather not-too-great docs), then you want to be able to either verify the access token on every request to your API server, which includes checking its validity. If it's nearing expiry, you should use the refresh token to request a new access token.

If you have access token validity at 1h, and throttling on token endpoint calls at 1 per day, that's a big fail.

Anyhow, I'd really like to know apple's preferred way of doing this, without us either (1) rolling our own token issuing on our servers; or (2) relying on a service such as Cognito in the middle to handle token issuing.

Using a refresh token does not return a new refresh_token
 
 
Q