Feat: add support to refresh token absolute lifetime #2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this pull request change?
This pull request adds a new configuration option,
refreshTokenExpiryStrategy. This option allows users to specify the refresh token expiration strategy, choosing between:'renewable': The refresh token's expiration time is renewed each time it is used.
'absolute': The refresh token's expiration time is fixed from its initial issuance and does not change.
Why is this pull request needed?
We are currently using Auth0 with Absolute Expiration. Auth0 implements an absolute expiration strategy for refresh tokens, meaning the expiration time is fixed from the initial issuance and does not renew with each use. However, the library was designed with the assumption that the refresh token expiration would be renewed each time a new refresh token is requested.
This mismatch between the actual expiration behavior and the library's expectations is causing issues. The library incorrectly assumes the refresh token has a longer validity period than it actually does, leading to potential authentication failures when the refresh token expires earlier than anticipated.
By introducing the refreshTokenExpiryStrategy configuration option, we can ensure that the library can accurately handle both renewable and absolute expiration strategies, preventing such mismatches and improving compatibility with different OAuth2 providers like Auth0.
Content related to this change
Configure Refresh Token Expiration - Absolute Lifetime