-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement: specify lifespan for refresh_token #1088
Comments
This has been removed intentionally as refresh tokens are long living credentials and do not have an expiry time defined. To revoke refresh tokens you can use the |
IMHO... there should be the capability to set a exp on a refresh token. |
+1 |
I'm not sure, there isn't really a reason for doing that, let me explain: You're probably coming from an angle where limiting credentials' lifetimes is seen as a security feature. I agree. The thing is, there is not much upside to introducing a lifespan to refresh tokens. Here's would we gain if refresh tokens expire after some time:
The re-authorization process (consent) is skipped because the user already granted consent. If the user was to actually click the permissions, that can only be because There is the case where consent is not remembered. This is the only interaction where I think expiring refresh tokens make sense. You would basically need to re-authorize an app after a certain period, but it's also a bit strange because what's the reference? Just because you didn't use an app for a three days, do you have to reauthorize? Why is this requirement not valid if you use the app every day? What's the difference? To conclude, I understand the desire, but I doubt it's usefulness. edit:// And please no +1, we're past that with github issue reactions! |
I see an use case for it. Let's say an user of Hydra created a SPA where the SPA Logs the user in, the refresh_token will then be saved in the browsers local store, as a security measure i want to enforce re-authorization with the Authorization Server periodically. I know Hydra also saves data in a cookie, but this is another case. Hope you see my reasoning, René |
As a consumer of the API you can voluntarily do that with |
I'm closing this here and am tracking it in fosite: ory/fosite#319 |
I've added this feature in fosite and will enable it in hydra next: ory/fosite#337 |
This patch enables refresh token expiry. Closes #1088 Signed-off-by: arekkas <aeneas@ory.am>
This patch enables refresh token expiry. Closes #1088 Signed-off-by: arekkas <aeneas@ory.am>
This patch enables refresh token expiry. Closes #1088 Signed-off-by: arekkas <aeneas@ory.am>
This patch enables refresh token expiry. Closes #1088 Signed-off-by: arekkas <aeneas@ory.am>
This patch enables refresh token expiry. Closes #1088 Signed-off-by: arekkas <aeneas@ory.am>
Do you want to request a feature or report a bug?
feature
What is the current behavior?
refresh token never expires
If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.
N/A
What is the expected behavior?
have an environment setting to limit life span of refresh tokens
Which version of the software is affected?
beta-9
The text was updated successfully, but these errors were encountered: