Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to set different expiry time for access and refresh tokens? #141

Open
ondrowan opened this issue May 4, 2022 · 1 comment
Open

How to set different expiry time for access and refresh tokens? #141

ondrowan opened this issue May 4, 2022 · 1 comment

Comments

@ondrowan
Copy link

ondrowan commented May 4, 2022

I'm implementing a server that supports pretty standard Auhorization Code flow. I'd like to generate both access and refresh tokens, the former with short expiry time, the latter with long expiry time. I kinda struggle with how to implement this. Since those tokens are tied one to another, I implemented a single Issuer (which I'm using with a Generic endpoint). From what I saw in examples and implementation of TokenMap, expiry time is taken from Grant that is passed to the issuer. This however implies that maybe I should implement different Issuer for both access and refresh grants? This however doesn't make sense either since I need to use different - and probably somehow hardcoded - expiry times for both of those tokens. Or perhaps I don't understand where this Grant instance comes from when implementing an Issuer.

On thing that confuses me on top of this is how to set different access and refresh token expiry times when using TokenMap. It seems to me that they are always set to the same expiry time and it cannot be changed.

Maybe this is also related to #117 and I'd be happy to help out with some examples once I understand how to implement this.

@HeroicKatora
Copy link
Owner

This however implies that maybe I should implement different Issuer for both access and refresh grants?

Yes, indeed. The expiry time in the Grant is a suggestion, what will be authoritative is what's stored in your issuer and returned on recover_*. (Though you should make an effort to provide the right duration to the user). The only standard way to communicate the refresh token's expiry time would be through [RFC7662](Token Introspection), however this hasn't been implemented as of now. So, there's no need to really return this different expiry time in any result other than store it internally within the issuer.

TokenMap doesn't have a setter for different expiry, however this should be simple enough to add. Willing to take a PR or have this open as a tracking issue of sorts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants