Appropriate refresh token setting for rolling window?
-
What is the appropriate setting to use regarding refresh token expiration and refresh token usage when you want the following:
- The refresh token can only be used once; on refresh, a new refresh token is issued
- The new refresh token has an updated expiration of "Refresh Token duration" instead of the former refresh token's expiration
I'm using:
Refresh Token expiration: Sliding window
Refresh Token usage: One time useWould those be the correct settings?
-
Hiya,
I don't think you want 'sliding window' because that essentially gives a refresh token a new lifetime once you use it. From the docs:
If ... the expiration is a sliding window, then if the refresh token is used at 1:55pm, it would then expire at 2:55pm. If it were then used at 2:50pm, it would expire at 3:50 pm.
You want one time use, for sure. But you also want the "Refresh token expiration" to be set to "fixed".
Hope that helps,
Dan -
So basically for fixed, the new token will have a reset exp date, while the old one will retain its existing one?
-
Yup. Here's a scenario with fixed and one time use. Let's say that refresh tokens have a lifetime of 10 days.
Refresh token A is issued on day 1 (there's a JWT along for the ride as well). It is usable until day 10.
On day 9, the JWT and refresh token A are presented to FusionAuth. A new JWT and refresh token B are generated. Refresh token B is good until day 19 (10 days from when it was issued).
Hope this helps.
You might also be interested in these refresh token related issues in GitHub:
-
@dan Thanks, this is the use-case I was expecting.