Extend JWT expiry #50
Comments
|
@skittlz444 There's a problem with that approach and you can read more about it on this article: https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/ As far as I know, having a long expiry for a token is not secure as it allows users to maliciously access user data. Refresh tokens exist so that in case someone does get a hold of an account, it'll only be for a few seconds. I think it's more common to see tokens having expiration times of 30 seconds to a minute, generating refresh tokens every time. I'm not sure what the logistics of how to make this work, but hopefully that article can provide some insight on how to approach this problem. If anything it might be worth doing this while we figure out a solution for JWT refresh tokens. |
|
Sorry I didn't say if I was talking about access or refresh, I haven't investigated our auth as heavily or used JWT for a while. I meant having a refresh token that lasts that long, and 30 seconds is shorter than usual I believe. |
Perhaps if the user selects a "remember me" option on login then their token lasts an absurdly long time (6 months?). Extend the base token expiry to 28 days or so.
The text was updated successfully, but these errors were encountered: