How To Set Oauth Token Expiration Time
Refresh tokens can be a target for abuse if leaked because they can be used to acquire new access tokens. To mitigate this risk, Auth0 recommends using Automatic Reuse Detection and Refresh Token Rotation. Refresh Token Rotation bug a refresh token that expires after a preset lifetime. After expiration, the user gets a new refresh token in the same family, or refresh tokens that share a family ID, or a new admission token/refresh token pair. To learn more, read Refresh Token Rotation.
You can enable and configure two refresh token lifetime settings, absolute and inactivity expiration, using either the Auth0 Dashboard or the Auth0 Management API. You can use a combination of absolute and inactivity expiration periods to create a balance between security and user experience that suits your business concern needs.
-
Absolute Lifetime: Set a refresh token or refresh token family lifetime later on which the user must re-cosign earlier being issued a new access token. If you lot disable this setting, the absolute lifetime will be indefinite.
-
Inactivity Lifetime: Set up the inactivity lifetime of issued refresh tokens to expire if the user is not active in your application during a specified period.
Use the Dashboard
-
Get to Dashboard > Applications.
-
Select the application you want to configure.
-
Go to the Settings tab.
-
Under Refresh Token Expiration, enable Absolute Expiration. When enabled, a refresh token volition expire based on an absolute lifetime, afterwards which the token can no longer be used. If rotation is enabled, an expiration lifetime must be set.
-
Enter Absolute Lifetime in seconds. The refresh token expires after the specified interval and can no longer be used to get a new access token. When rotation is enabled, the accented expiration also applies to the ability to get new tokens.
Value Default 2,592,000 seconds (30 days) Minimum 1 second Maximum 31,557,600 seconds (1 year) -
Enable Inactivity Expiration. When enabled, a refresh token volition expire based on a specified inactivity lifetime, after which the token can no longer exist used.
-
Enter Inactivity Lifetime in seconds. If the refresh token is not exchanged within the specified interval, the refresh token expires and tin can no longer be used to get a new access token. The expiration period is renewed each time the refresh token is exchanged for a new access token within the interval.
Value Minimum i second Maximum 31,557,600 seconds (1 year) -
Click Salve Changes.
Use the Direction API
You can configure the accented and inactivity lifetime settings in the payload for the Management API /api/v2/clients/{id} endpoint. Here is an example that sets expiration lifetime for a non-rotating refresh token:
PATCH /api/v2/clients/{id} { "refresh_token": { "rotation_type": "non-rotating", "expiration_type": "expiring", "token_lifetime": 2592000, "infinite_token_lifetime": false, "idle_token_lifetime": 604800, "infinite_idle_token_lifetime": false } }
Support and limitations
-
You can opt-in to use refresh token expiration capabilities; no action is required past yous. Existing refresh tokens are not affected.
-
If need to go above the i year limitation (up to 5 years), Auth0 can increase the limit for you lot. Contact your Auth0 Technical Account Director for details.
-
Refresh token expiration works with the post-obit flows:
-
Authorization Code Flow
-
Authorization Code Menstruum with Proof Central for Code Substitution
-
Device Authorization Flow
-
Resource Owner Password Flow
-
-
All Auth0 SDKs support refresh token expiration.
-
The refresh token expiration feature complies with the OAuth 2.0 Security BCP recommendations.
Learn more
- Get Refresh Tokens
- Refresh Token Rotation
- Configure Refresh Token Rotation
- Revoke Refresh Tokens
Source: https://auth0.com/docs/secure/tokens/refresh-tokens/configure-refresh-token-expiration
0 Response to "How To Set Oauth Token Expiration Time"
Post a Comment