I am using LWA to create an application, There are several micro services that can call my auth service. I want to prevent 2 services from having access token collision.
So, assume service A calls auth service with refresh token 'xyz' and gets an access token. Now, service B invokes auth service with refresh token 'xyz' and gets another access token.
since refresh token lives indefinitely I am finding it hard to securely prevent collision for access token.
The auth service should be keeping track of the tokens issued. In case of corruption, the auth service can invalidate the associated tokens. If you do, then you can do a simple check against this list and retry.
Refresh tokens should roll after getting used, i.e., you should generate a fresh refresh token when one is exchanged for an access token. Refresh tokens should not live indefinitely.