- Issue created by @TrevorBradley
Could use a little help here on best practices...
We've finally implemented oAuth for authentication for one of our services - hooray! For the end user, it's working great.
We've got an access token lifespan of 60 minutes, and a much longer refresh token expiry on the scale of months. We actually need those long refresh token lifespans. Users might go away from their system for months, while others might use the service for hours every day.
However, when the access token expires, the client uses their refresh token to request a new access token/refresh token pair. But this does not remove the old refresh token, which still has months before it expires.
With an access token lifespan of about 60 seconds, and pretty constant queries coming in from clients, this means that the token table is getting littered with old used refresh tokens, no longer held by any client. That seems messy - like printing a new key to your home but having all the old ones still work.
I see issues like π¬ [PP-1] Revoke refresh tokens Needs work - this obviously isn't a trivial problem. What's the best practice here? Should we be changing the lifespan of our tokens? Should the server work to discard a refresh token after a new one has been created? Is there some simple setting I'm missing that already does this? Is the correct solution something more like π¬ [PP-1] Revoke refresh tokens Needs work where the client is responsible for requesting that an old token be discarded?
Would appreciate a little guidance before we drown in refresh tokens. Thanks!
Active
5.2
Miscellaneous