There should be a way to configure the server or some special scope to kill the token after its used once regardless of whether or not the request was successful.
The use case would be for sensitive transactions like for example money transfer where an error from the user or the app client sending the same request twice can lead to lost of money.
the app client send a request with the single use token, then the oauth2 server kills the token so it can never be used. the transaction is processed maybe returning status 200 or 400, does not matter.
the app client or the end user screws up, clicks the submit button again or for whatever reason the same request is sent. the server gets the single use token which was already used and expired, halting the request.
There should be a way to configure the server or some special scope to kill the token after its used once regardless of whether or not the request was successful.
The use case would be for sensitive transactions like for example money transfer where an error from the user or the app client sending the same request twice can lead to lost of money.
the app client send a request with the single use token, then the oauth2 server kills the token so it can never be used. the transaction is processed maybe returning status 200 or 400, does not matter.
the app client or the end user screws up, clicks the submit button again or for whatever reason the same request is sent. the server gets the single use token which was already used and expired, halting the request.