Refresh Tokens are used when useRefreshTokens is set to true when configuring the SDK.
After flicking the option I don’t see any changes in the application or the console. Because this is a pretty important security option - is there a way to verify that it’s working correctly?
If you want to see that a refresh token expires, I’d suggest configuring one of your dev/test tenants with short timeout, getting a refresh token, waiting and trying to exchange it.
Thanks for this. So I gave it a go and I don’t think it’s working.
My actions:
Add this to auth_config.json
"useRefreshTokens": true
In tenant settings for the SPA set Refresh Token Rotation to on, absolute exprimation to 5 and inactivity lifetime to 3.
Log in into the app → wait for 10 seconds → I can still do all the actions with no problem. So it seems rotation is not working / token is not expiring?
My setup is Vue SPA on the front end and a Flask API on the backend. The above settings were changed for the SPA, they are greyed out for the api in the tenant.