How to set refresh token expiration time?

#1

How to set refresh token expiration time?

0 Likes

Refresh tokens should be expire and access token should not be expire
#2

Same please check the docs

0 Likes

#3

I was looking at documentation, but I did not find anything talking about the lifetime of the refresh token, just the token.

0 Likes

#4

AdonisJs provides additional options. Set the expiresIn to set the expiration time.

See Table 1. Additional Options

Ex.

{
  authenticator: 'jwt',
  jwt: {
    serializer: 'Lucid',
    model: 'App/Model/User',
    scheme: 'jwt',
    uid: 'email',
    password: 'password',
    options: {
      secret: Config.get('app.appKey'),
      expiresIn: 86400,
      algorithm: HS384,
      ...
    }
  }
}

Hope this helps :smiley:

0 Likes

#5

Hello, about the expiresIn I have actually seen it, but it seems to me that it has no effect. Do not update token and even if I have a half incoherent the token and the refresh token have the same lifetime. I know that in Laravel it is possible to configure a lifetime for the token and another lifetime for the update token. I may be wrong, but I think there should be a way to configure the update ring time and a lifetime for the token itself.

0 Likes

#6

Refresh tokens doesn’t expire. There are saved inside the database and you have to revoke them or delete them

1 Like

#7

Here it is in action.

Also, you are correct. Laravel Passport does allow one to set the expiration of a refresh token using the ** refreshTokensExpireIn()** method, but not sure in AdonisJs’ case.

It appears as though AdonisJs is using Auth0’s JWT package.

Also, it doesn’t look as though it allows for an expiration on the refresh token; however, poke around in Auth0’s repo. Have fun!

Hope this helps :smiley:

0 Likes

#8

Now, this comment saved me. I was thinking that what was saved was not the database and update too. Now I’ve even found a solution for this TOPIC that is active. Thank you very much.

0 Likes

#9

Okay, thanks for your example.

0 Likes

#10

When you check on the table tokens you can see the created_at and updated_at.

I also had the same problem and i resolved it by having a cronjob which i could run and set the is_revoked to 1 to refresh tokens that the last updated_at as maybe 24 hours or your preferred refresh token duration.
That will automaticaly revoke a refresh token.

0 Likes

#11

I don’t get what’s the point of expiring the refresh token. Read more here https://auth0.com/learn/refresh-tokens/

0 Likes