Skip to content

Feat: add support to refresh token absolute lifetime #168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
May 31, 2024
Merged

Feat: add support to refresh token absolute lifetime #168

merged 8 commits into from
May 31, 2024

Conversation

kleysonfiretail
Copy link
Contributor

What does this pull request change?

This pull request adds a new configuration option, refreshTokenExpiryStrategy. This option allows users to specify the refresh token expiration strategy, choosing between:

'renewable': The refresh token's expiration time is renewed each time it is used.
'absolute': The refresh token's expiration time is fixed from its initial issuance and does not change.

Why is this pull request needed?

We are currently using Auth0 with Absolute Expiration. Auth0 implements an absolute expiration strategy for refresh tokens, meaning the expiration time is fixed from the initial issuance and does not renew with each use. However, the library was designed with the assumption that the refresh token expiration would be renewed each time a new refresh token is requested.

This mismatch between the actual expiration behavior and the library's expectations is causing issues. The library incorrectly assumes the refresh token has a longer validity period than it actually does, leading to potential authentication failures when the refresh token expires earlier than anticipated.

By introducing the refreshTokenExpiryStrategy configuration option, we can ensure that the library can accurately handle both renewable and absolute expiration strategies, preventing such mismatches and improving compatibility with different OAuth2 providers like Auth0.

Configure Refresh Token Expiration - Absolute Lifetime

image

Issues related to this change

#167

@kleysonfiretail kleysonfiretail requested a review from soofstad as a code owner May 30, 2024 08:42
soofstad
soofstad requested changes May 30, 2024
View reviewed changes
Copy link
Owner

@soofstad soofstad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright, if Auth0 would just respond with the expiry time... 😞
But since they do not, I guess this is the only option we got.

Well written pull-request 👍

Check one comment, the linting, and I will merge this

@kleysonfiretail
Copy link
Contributor Author

Alright, if Auth0 would just respond with the expiry time... 😞 But since they do not, I guess this is the only option we got.

Well written pull-request 👍

Check one comment, the linting, and I will merge this

Thank you. All done.

sebastianvitterso
sebastianvitterso previously approved these changes May 30, 2024
View reviewed changes
Copy link
Collaborator

@sebastianvitterso sebastianvitterso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! @soofstad merge at will

@kleysonfiretail kleysonfiretail requested a review from soofstad May 31, 2024 08:35
@soofstad soofstad merged commit f1608a9 into soofstad:main May 31, 2024
4 checks passed
@soofstad
Copy link
Owner

Thank you for the contribution @kleysonfiretail 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@soofstad soofstad soofstad approved these changes

@sebastianvitterso sebastianvitterso sebastianvitterso left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kleysonfiretail @soofstad @sebastianvitterso