Enable Refresh Token Rotation in OAuth2 Configuration

[danydossantos63]

🚀 Feature Request: Support refresh token rotation in OAuth2 secure preset

Description

The API-Connect plugin does not expose refresh token rotation in the OAuth2 secure-oauth preset, while this feature is already supported by Dataiku DSS.

Problem

Although DSS supports refresh token rotation natively, it cannot be enabled through the plugin configuration.

This prevents users from leveraging this security feature when using OAuth2 via the API-Connect plugin.

Proposed solution

Add a refreshTokenRotation boolean parameter to the secure-oauth preset.

This parameter should map directly to the existing DSS OAuth2 refresh token rotation mechanism.

Expected behavior

When enabled:

• Refresh tokens are rotated according to DSS behavior
• Existing OAuth2 flows remain unchanged
• No additional configuration is required on the API side

[danydossantos63]

If I convert this to a dev plugin and only apply this change to force the refresh rotate, it works fine on my side

[alexbourret]

Hi @danydossantos63 ! Thank you for your feedback. We have a beta version (v1.4.0-beta.1) implementing this feature. Feel free to download it as a zip from here.
As we cannot force to enable refreshTokenRotation for everyone, we had to create a separate preset type. Once the beta installed, (and after a browser hard reload), you should find a "Secure SSO with rotation" tab in the setting. You can create your preset there, and it will have the option activated for you. Let us know if it fixes the issue for you...