I have a scenario where I would like to limit the lifetime of a refresh token.
So my initial thought was to store a reference to the refresh token on the users meta-data including an expiry time.
If the user uses the refresh token before the expiry time the meta-data is updated with a new expiry time.
If the user uses the refresh token after the expiry time then the token should be revoked and the meta-data reference deleted.
When getting a new refresh token a device credential is created with a unique id.
This Id is also used when revoking a refresh token
A solution could be to store this Id with an expiry time during the “get refresh token” call via rules, but I haven’t found a way to retrieve this Id.
The issue is that I don’t know which refresh token from the list of device credentials that a current token exchange is about. So, the only solution is to revoke all refresh tokens or none
My question is then - is it possible to get the device credential Id associated with the refresh token during the authorize call via rules? Or is there better ways to achieve this refresh token expiry time functionality?