Requirement: In OAuthV2 policy with operation as RefreshAccessToken (/refresh call), by providing valid refresh token(RT1) we will generate new AccessToken/RefreshToken(AT2/RT2) pair. But due to technical issues/partner side network issues, if partners did not receive the newly generated AT2/RT2 pair(note: Apigee successfully generated & sent AT2/RT2 as a response), they should be able to use the older refresh token to generate another AT/RT pair. That is, in technical issue scenarios, we should be able to fallback to the previous refresh token.

But whenever we generate new AT2/RT2 by providing valid RT1 in the /refresh call, immediately old RT1(came as part of request) gets invalidated.

So I am trying to implement a logic as below:

  Whenever we generate new AT2/RT2 pair, before sending the response: AT2/RT2 , I would like to associate this AT2/RT2 pair to RT1. So that if partner don't receive this AT2/RT2 pair, they will retry /refresh call with RT1 (that is the one they have in hand) and apigee finds the given refresh token is invalidated..So I am adding a logic here to check whether any custom attributes associated to that token, if yes - will extract that custom attributes & with the help of RT2- will generate new AT3/RT3 and send AT3/RT3 to the partner. If custom attributes are not associated, then we will throw error message to the partner as: Invalid refresh token.

Question: While implementing the above, I am able to extract custom attributes associated to RT1 (though RT1 is invalidated) but not able to associate new custom attributes AT2/RT2 to RT1. Can't we associate custom attributes to the invalidated token RT1?

@dino , @anilsagar - please advise.

Also let me know what is the best solution approach here.

Please find sequence diagram below to understand quickly:

Thanks in advance,

Neeraja