Appropriate refresh token setting for rolling window?

What is the appropriate setting to use regarding refresh token expiration and refresh token usage when you want the following:

• The refresh token can only be used once; on refresh, a new refresh token is issued
• The new refresh token has an updated expiration of "Refresh Token duration" instead of the former refresh token's expiration

I'm using:

Refresh Token expiration: Sliding window
Refresh Token usage: One time use

Would those be the correct settings?

@dan Thanks, this is the use-case I was expecting.

There's also another kind of spam that we're noticing. At least for Google IdP accounts, scammers are adjusting their name to include malicious URLs (without even using link tags). The gmail UI will unfortunately render them as links.

Does FA have some built-in functionality to deal with this scenario?

@dan Thanks, this is the use-case I was expecting.

So basically for fixed, the new token will have a reset exp date, while the old one will retain its existing one?

What is the appropriate setting to use regarding refresh token expiration and refresh token usage when you want the following:

• The refresh token can only be used once; on refresh, a new refresh token is issued
• The new refresh token has an updated expiration of "Refresh Token duration" instead of the former refresh token's expiration

I'm using:

Refresh Token expiration: Sliding window
Refresh Token usage: One time use

Would those be the correct settings?

I'm performing an import from Cognito and we have usernames that are completely unique on it. The import API for FusionAuth will error out if there is a duplicate user being inserted.

I'm trying to write something that will filter out users already imported into FusionAuth from Cognito, but the User search API using elasticsearch (I'm on hosted FA) doesn't always return results when I search by username using queryString.

Is there a better way to go about searching for users against a username?