Alexander Nied
Reputation: 13633
OAuth2: Is the `auth_time` claim tied to the refresh token expiration?
If I know that my auth provider sets refresh tokens to expire after twelve hours, and I have authenticated and my auth_time claim shows as 9AM today, can I safely assume that at 9PM tonight my refresh token will expire? Or are auth_time and refresh token issuance/expiration independent of one another?
Upvotes: 1
Views: 2039
Answers (1)
Tore Nestenius
Reputation: 19921
It depends on the auth provider, but in some providers you can set difference expire times on the different tokens (id/access/refresh). Also some supports absolute or sliding expiration times.
Sample expire config options for IdentityServer can be found here for inspiration.
Upvotes: 2
Related Questions
- OAuth: Should an unexpired access token be revoked when it is refreshed?
- OAuth2: Should a refresh token be invalidated after receiving a new access token?
- Lifetime of access and refresh tokens
- Oauth2 refresh_token confusion
- In OAuth2, when the refresh token request is executed to retrieve a new access token, are the previous Access Tokens invalidated?
- OAuth2: Update refresh token along with the access token or not?
- When refreshing access token early, is old access token still valid?
- Does OAuth 2.0 refresh token expires at all?
- OAuth 2 Requesting a new Access Token uses up Refresh Token?
- [OAuth2 authorization server]refresh token's expire time need different with access token?