Thanks for your confirmation and the details on how you reproduced the issue.
Original Message:
Sent: Tue December 09, 2025 02:54 AM
From: Gyula Domonkos
Subject: ISVA 11.0.1 IF1 : after upgrading, refresh tokens are not being invalidated anymore after being used
Hello André,
we tested it and experience the same result, so we can confirm this is a critical bug.
Test curl commands and results:
1. Authentication with PKI
curl --ssl-auto-client-cert -v -k -i -c cookies.txt -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -X POST https://my.domain/pkmslogin.form
2. get Authorization Code
curl -v -k -i -b cookies.txt -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -X POST "https://my.domain/mga/sps/oauth/oauth20/authorize?client_id=test&response_type=code&scope=openid&nonce=noncess&state=state&redirect_uri=https://dummy-test
3. get Access Token + Refresh Token + id_token
curl -v -k -i -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -d "client_id=test&client_secret=secret&grant_type=authorization_code&code=PqWXvnvvCqYE50C8vowfhmMrsYv4Up&redirect_uri=https://dummy-test" https://my.domain/mga/sps/oauth/oauth20/token
{"access_token":"oiCt5aQSbHJhRMV1l5S7","refresh_token":"QlkGusKQwHYP2kM91h4MA3zqUrZA2lRqVoQK9Kei","scope":"openid","id_token":"eyJr...
4. Check Refresh token lifetime:
curl -k --data "client_id=test&client_secret=secret&username=myuser&token=QlkGusKQwHYP2kM91h4MA3zqUrZA2lRqVoQK9Kei" https://my.domain/mga/sps/oauth/oauth20/introspect
{"sub":"myuser","scope":"openid","active":true,"token_type":"refresh_token","exp":1765302190,"iat":1765265507,"client_id":"test","username":"myuser"}
5. Refresh token
curl -i -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=refresh_token&refresh_token=QlkGusKQwHYP2kM91h4MA3zqUrZA2lRqVoQK9Kei&client_id=test&client_secret=secret" https://my.domain/mga/sps/oauth/oauth20/token
{"access_token":"kGtL2DlS81zEM19EYmxC","refresh_token":"HPv03xGeNw2OHqjnSO8q1wkMJD1OVCwsTfo3tS3M","scope":"openid","id_token":"eyJraWQ...
6.A Check Refresh token lifetime:
curl -k --data "client_id=test&client_secret=secret&username=myuser&token=QlkGusKQwHYP2kM91h4MA3zqUrZA2lRqVoQK9Kei" https://my.domain/mga/sps/oauth/oauth20/introspect
{"sub":"myuser","scope":"openid","active":true,"token_type":"refresh_token","exp":1765302190,"iat":1765265507,"client_id":"test","username":"myuser"}
6.B Check Refresh token lifetime:
curl -k --data "client_id=test&client_secret=secret&username=myuser&token=HPv03xGeNw2OHqjnSO8q1wkMJD1OVCwsTfo3tS3M" https://my.domain/mga/sps/oauth/oauth20/introspect
{"sub":"myuser","scope":"openid","active":true,"token_type":"refresh_token","exp":1765302190,"iat":1765265625,"client_id":"test","username":"myuser"}
------------------------------
Gyula Domonkos
Original Message:
Sent: Mon December 08, 2025 10:07 AM
From: André Leruitte
Subject: ISVA 11.0.1 IF1 : after upgrading, refresh tokens are not being invalidated anymore after being used
Hello,
We have recently upgraded our UAT ISVA cluster to the latest update (11.0.1 IF1) and thanks to an internal pen-test, we have identified that Refresh tokens are not invalidated anymore after being used.
I'm able to call the /token endpoint with the same refresh_token as much as I want, with each call generating a new pair of AT/RT/ID_TOKENS.
-=> Has anyone already noticed this critical change in behavior ?
As we are using an OIDC policy where we have not enabled the "Do not rotate refresh token" and "Enable multiple refresh tokens for fault tolerance" this seems more like a critical bug than a desired behavior change.
I tested the exact same calls on our production environment (still in 11.0.0) and the refresh tokens are correctly discarded after their first use.
If someone can confirm this, it will be important to advertise that this update (11.0.1 or the IF1) should not go in production for anyone using OIDC/OAuth policies.
------------------------------
André Leruitte
Security Architect
POST Luxembourg
Luxembourg
------------------------------