stackoom
  简体   繁体   中英

Is it ever reasonable to revoke a refresh token after a period of time?

 原文  2019-10-30 18:51:58       oauth-2.0/ refresh-token/ onlinebanking

Question

I read here I wonder should the server ever just revoke refresh token after a certain period of time and just force the user to login again? I can't remember when was the last I had to enter my login credentials for my Gmail.

What do banks (or any site that stores sensitive data) do if a given user refreshes their token for 200 days? Should they allow the user to continue to use the site? I understand it involves user interaction, so it's not something that is easy to automate.

1 answers

solution1
 0  2019-10-30 20:05:09

The refresh token lifetime (or enablement) is decided by an administrator who controls the assets - not by the end user.

Use of short lived tokens is preferred - it is technically simple and zero maintenance

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Revoke JWT Oauth2 Refresh Token how to refresh or revoke OAuth2.0 access/refresh_token, when no refresh token available? How to revoke the access and refresh token in Oauth2.0? Security implications of refresh token grace period How to revoke the access token and refresh token of the user as an admin user? while using JWT in Oauth2 what are the sizes of access_token and refresh_token in Microsoft Identity platform scenarios and if reasonable, should it be stored in the DB? Doorkeeper Revoke Token Google refresh token 7-day expiration period in Nodemailer Revoke Token OAuth 2 google api Oauth Revoke access token only
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM