Support multiple, concurrently valid refresh tokens

[yangm97]

From Google Identity documentation:

Immediate and fully consistent shared state both within, and between, your and Google's token handling systems cannot be guaranteed. [...]

• Support multiple, concurrently valid access and refresh tokens. [...]

Currently, assuming a refresh token grace period is not set, to break an account link it is enough to run the Google Smart Home Test Suite, specifically the refresh token test triggers token reuse detection, which invalidates the only refresh token. After that, it is only possible for Google to acquire another refresh token once the user does the grant flow once again.

While the grace period does prevent the above breakeage scenario the core issue seems to be the single point of failure, so Google's recommendation seems to make sense.

Now comes the question: was the single refresh token a design decison from the team? Or is multiple refresh token handling simply something which happens to not be implemented yet but which would be accepted mainstream once done?

[kainsk]

see also:

• feat: Refresh token expiration window #2827
• Refresh tokens need a grace period to deal with network errors and similar issues #1831