| ▲ | gethly 7 days ago | |
> the refresh tokens should theoretically not expire That is subjective. In essence, they should last long enough so the client can use them to get new access token without the user(resource owner) having to authorise a new grant. Each client is different with different needs and the scopes might be too sensitive to provide a long lasting access. So as usual, it depends. In my server implementation, access tokens are valid for one hour and refresh tokens for 30 days. I also return refresh tokens with each access token request, so as long as the client makes at least one request per month, they do not have to bother the user for a new grant. I just wish the spec would have a dedicated "refresh_expires_in" field in addition to "expires_in" for refresh tokens, so the client would be better informed about this. As refresh tokens are part of the spec, though optional, their life span information is lacking here. | ||
| ▲ | jwr 7 days ago | parent | next [-] | |
Yes, I have no problem with refresh tokens expiring, but I wish the RFC did explicitly include this functionality along with a "refresh_expires_in" field, as you wrote. | ||
| ▲ | Pet_Ant 7 days ago | parent | prev [-] | |
How hard is it to get a suggestion like that in? I mean it seems fool proof, make it optional and there should be no problem. | ||