OAuthV2 associating newly refreshed access tokens in Apigee token store

Consider this scenario:

I have /token endpoint in my proxy where I send an external authorization code to a target backend to exchange for external access token 1 and external refresh token 1. Upon success, I store these tokens using the OAuthV2 policy.

I then call the /token endpoint again to use the refresh token to obtain access token 2.

Finally, I call a /revoke endpoint where we invalidate refresh token 1. This would also invalidate access token 1 BUT it does not revoke access token 2.

My question is: Is there an existing Apigee policy/function that I can use to associate the newly generated access token 2 to refresh token 1? This way when I revoke the refresh token during the /revoke call I can revoke all associated access tokens?

Note that during refresh token exchange the grant_type will be ‘refresh_token’ instead of the grant_types Apigee supports for Refresh Token storage through OAuthV2 policy (authorization_code/password).

There is a ReuseRefreshToken element in the OAuthV2 policy, which you can apply in the case of Operation = RefreshAccessToken. This will allow you to re-use the fresh token for each new access token, until the refresh token expires.

If you use <ReuseRefreshToken>true</ReuseRefreshToken>, be aware that OAuth experts consider the practice of re-using refresh tokens as insecure. The “Best Current Practice” document recommends that you get a new refresh token with each refresh, to minimize the exposure to replay attacks. Specifying <ReuseRefreshToken>false</ReuseRefreshToken> will do that. You can alternatively omit this configuration element from the policy; false is the default.