django-oidc-provider icon indicating copy to clipboard operation
django-oidc-provider copied to clipboard

Published 20 hours ago verified publisher icon juanifioren

Expire time for refresh token

Open jbagot opened this issue 7 years ago • 1 comments

I think would be fine if the refresh token will have the option to be expired. I can do a PR if is your are agree with that. Sometimes is interesting have a refresh token with expire time. If we want to do a long live token with 60 days of inactivity and after this 60 days the user must relogin. Let me know if it's interesting for you and I can implement it.

jbagot avatar Feb 02 '18 13:02 jbagot

Hi, I think this is an important feature. As far as I understand the existing code, a user can stay logged in forever if he has a refresh_token. With every refresh, the user will receive a new access/id_token and a new refresh_token. It also doesn't matter if the current access_token has expired, it is still possible to generate a new access_token with the refresh_token.

The only chance to block a user is to remove all tokens of the user!

Flor1an-dev avatar Jul 09 '19 14:07 Flor1an-dev