Mismatch Between Refresh Token Expiration Handling and Auth0's Absolute Expiration Policy #167

kleysonfiretail · 2024-05-29T10:45:32Z

kleysonfiretail
May 29, 2024

I am currently using Auth0 with Absolute Expiration and Refresh Token Rotation. However, I noticed that the library seems to expect the refresh token's expiration time to be renewed with each use.

The library renews the expiration time of the refresh token every time I request a new refresh token. Since I am using an absolute expiration policy, the refresh token should not be renewed and should have a fixed expiration time from the initial issuance. This discrepancy causes a mismatch between when the token actually expires and when the library thinks it will expire.

Question:

Is there a way to configure the library to handle refresh tokens with a fixed expiration time from initial issuance, so it aligns with Auth0's Absolute Expiration policy? If not, are there any plans to support this behavior, or do you have any recommended workarounds?

Answered by kleysonfiretail

May 30, 2024

@soofstad I took the liberty of creating a PR with the fix for this issue

#168

View full answer

soofstad · 2024-05-30T06:49:35Z

soofstad
May 30, 2024
Maintainer

Hi @kleysonfiretail
Thank you for raising the issue.
Ideally, the Identity Provider should respond with a refresh_expires_in or similar, if it returns a refresh token. Does it? Or is it called something unconventional?

Also, if the IDP does not return a refresh_token, the library will keep the old one, and the expire time for that.

These two mechanism together should result in the behavior you expect.
If it does not, I'd like to figure out why.

And if all else fail, you do have this config param:

// Can be used if auth provider doesn't return refresh token expiration time in token response
  refreshTokenExpiresIn?: number // default: null

0 replies

kleysonfiretail · 2024-05-30T08:39:07Z

kleysonfiretail
May 30, 2024
Author

Hi @soofstad thank you for answering me

Let me give you a little bit more context:

The IDP does not return the refresh_expires_in or similar, and seems to be not possible to do that

Similar issue: Need access to Absolute Expiry of refresh token in the UI
Similar issue: How to get Refresh token expiry time in response?

We are also using the approach called Refresh Token Rotation this means that we have a refresh_token and every time the application exchanges the refresh_token to get a new access token, a new refresh token is also returned

DOC: Refresh Token Rotation

We tried to use the refreshTokenExpiresIn and although it helps it does not solve our issue

0 replies

kleysonfiretail · 2024-05-30T08:43:33Z

kleysonfiretail
May 30, 2024
Author

@soofstad I took the liberty of creating a PR with the fix for this issue

#168

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Mismatch Between Refresh Token Expiration Handling and Auth0's Absolute Expiration Policy #167

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 3 comments

{{title}}

{{title}}

{{title}}

Select a reply

Mismatch Between Refresh Token Expiration Handling and Auth0's Absolute Expiration Policy #167

kleysonfiretail May 29, 2024

Replies: 3 comments

soofstad May 30, 2024 Maintainer

kleysonfiretail May 30, 2024 Author

kleysonfiretail May 30, 2024 Author

kleysonfiretail
May 29, 2024

soofstad
May 30, 2024
Maintainer

kleysonfiretail
May 30, 2024
Author

kleysonfiretail
May 30, 2024
Author