Information on different scenarios related to OIDC Refresh Token Lifecycle.

Siteminder Version: 12.8 SP7

1. Can Refresh Token be issued indefinitely until it reaches its expiration time?

Yes, in CA SiteMinder, the refresh token can be issued indefinitely until its expiration time, as long as it is not manually revoked or invalidated by session changes. The refresh token will remain valid for as long as it hasn’t expired or been revoked, which means you can use it for repeated access token refreshes until it reaches its expiration time.

2. If I send Refresh Token(R1) to Token Endpoint, will a new Refresh Token(R2) be issued together with a new Access Token(A2)?

In CA SiteMinder, when you send Refresh Token (R1) to the token endpoint, a new Access Token (A2) will be issued, but a new Refresh Token (R2) will not be issued by default. The same refresh token (R1) will remain valid for further use until it expires or is manually revoked.

If you need automatic refresh token rotation (where a new refresh token is issued each time), this feature is available in later versions of SiteMinder, but not in 12.8.07 or earlier unless you have implemented custom behavior.

3. (If a new Refresh Token is issued in 2.) If I receive a new Refresh Token(R2) with the initially generated Refresh Token(R1) and send R1 to Token Endpoint, will it recognize it as an invalid Refresh Token and invalidate both R1 and R2?

In CA SiteMinder, if you send R1 (the initially issued refresh token) to the token endpoint after R2 (a new refresh token) has been issued, R1 will not be automatically invalidated unless you have explicitly configured SiteMinder to do so through a custom policy. R1 will likely still be accepted as valid, and both R1 and R2 could remain valid for use until their respective expiration times or until they are manually revoked (e.g., via user logout).