Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Enhancement: specify lifespan for refresh_token #1088
Do you want to request a feature or report a bug?
What is the current behavior?
If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.
What is the expected behavior?
Which version of the software is affected?
IMHO... there should be the capability to set a exp on a refresh token.
I'm not sure, there isn't really a reason for doing that, let me explain:
You're probably coming from an angle where limiting credentials' lifetimes is seen as a security feature. I agree. The thing is, there is not much upside to introducing a lifespan to refresh tokens. Here's would we gain if refresh tokens expire after some time:
The re-authorization process (consent) is skipped because the user already granted consent. If the user was to actually click the permissions, that can only be because
There is the case where consent is not remembered. This is the only interaction where I think expiring refresh tokens make sense. You would basically need to re-authorize an app after a certain period, but it's also a bit strange because what's the reference? Just because you didn't use an app for a three days, do you have to reauthorize? Why is this requirement not valid if you use the app every day? What's the difference?
To conclude, I understand the desire, but I doubt it's usefulness.
edit:// And please no +1, we're past that with github issue reactions!
I see an use case for it.
Let's say an user of Hydra created a SPA where the SPA Logs the user in, the refresh_token will then be saved in the browsers local store, as a security measure i want to enforce re-authorization with the Authorization Server periodically.
I know Hydra also saves data in a cookie, but this is another case.
Hope you see my reasoning,
As a consumer of the API you can voluntarily do that with