Reputation: 36427
Is it ever reasonable to revoke a refresh token after a period of time?
I read here I wonder should the server ever just revoke refresh token after a certain period of time and just force the user to login again? I can't remember when was the last I had to enter my login credentials for my Gmail.
What do banks (or any site that stores sensitive data) do if a given user refreshes their token for 200 days? Should they allow the user to continue to use the site? I understand it involves user interaction, so it's not something that is easy to automate.
Upvotes: 0
Views: 309
Answers (1)
Reputation: 29326
The refresh token lifetime (or enablement) is decided by an administrator who controls the assets - not by the end user.
Use of short lived tokens is preferred - it is technically simple and zero maintenance
Upvotes: 0
Related Questions
- Does the refresh token expire and if so when?
- OAuth: Should an unexpired access token be revoked when it is refreshed?
- OAuth2: Should a refresh token be invalidated after receiving a new access token?
- Lifetime of access and refresh tokens
- Why should you revoke access token?
- What is the maximum recommended expiry for an OAuth2 refresh token?
- Should we wait till the access token expire before we get refresh token?
- Can you force a refresh token to expire in Salesforce?
- When refreshing access token early, is old access token still valid?
- Revoking an old oAuth 2.0 refresh token