...
Linking Access Tokens to Refresh Tokens
Access tokens are JWTs. To link an , so they can securely transmit information. Thus we can link any particular access token to a the refresh token , we can simply add a claim with a that permits it to be issued by adding a claim to the access token that contains its corresponding refresh token ID. The JWT specification § 4.2 suggests we use a namespace for this claim, (e.g. Auth0 recommends a URL like https://synapse.org/refresh_token_id or https://sagebionetworks.org/refresh_token_id, but we should be able to use a reverse domain name like org.sagebionetworks.repo.model.oauth.claims.refresh_token_id). As a side note, I think we are already in violation of this specification, since we currently use nonstandard, non-namespaced claims such as orcid, is_certified, etc. We should determine if we should get back “in-spec” and add namespaces to the existing claims (breaking API change).
...