no restriction for refresh token lifetime span in identity server 4

Question

I used microservices, Currently am using JWT access token to access. But access token epired with certain time. To overcome this scenario I implemented refresh token to renew the expired access token. Now I want to implement no restriction for refresh token's lifetime span. How to achieve this?

Note: Am using Identity server 4 for JWT token generation

Answer 1

As documented, set RefreshTokenExpiration = Sliding and AbsoluteRefreshTokenLifetime = 0.

The DefaultRefreshToken service will accept that as indefinite slide. Relevant code:

// if absolute exp > 0, make sure we don't exceed absolute exp
// if absolute exp = 0, allow indefinite slide

var currentLifetime = refreshToken.CreationTime.GetLifetimeInSeconds(Clock.UtcNow.UtcDateTime);
var newLifetime = currentLifetime + client.SlidingRefreshTokenLifetime;

// zero absolute refresh token lifetime represents unbounded absolute lifetime
// if absolute lifetime > 0, cap at absolute lifetime
if (client.AbsoluteRefreshTokenLifetime > 0 && newLifetime > client.AbsoluteRefreshTokenLifetime)
{
    newLifetime = client.AbsoluteRefreshTokenLifetime;
}
refreshToken.Lifetime = newLifetime;

Set SlidingRefreshTokenLifetime to a longer time, e.g. one month.

With those settings the user can refresh the token indefinitely, with one restriction: the user can't be inactive for more than a month.

You can adjust this value to an acceptable expiration time for you.

Answer 2

Looking into the code, validating refresh token lifetime, I see there just

return (now > creationTime.AddSeconds(lifetime));

So the answer is: it's not possible to set it unbounded.

Nevertheless you are free to change the default value of 2592000 seconds / 30 days to something longer. Just set

AbsoluteRefreshTokenLifetime = <your_desired_value>

in (each) client configuration in your Identityserver