I read here I wonder should the server ever just revoke refresh token after a certain period of time and just force the user to login again? I can't remember when was the last I had to enter my login credentials for my Gmail.
What do banks (or any site that stores sensitive data) do if a given user refreshes their token for 200 days? Should they allow the user to continue to use the site? I understand it involves user interaction, so it's not something that is easy to automate.
The refresh token lifetime (or enablement) is decided by an administrator who controls the assets - not by the end user.
Use of short lived tokens is preferred - it is technically simple and zero maintenance
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.