Can anyone explain why there is no option to have refresh token rotation with a sliding expiry?
I would like to issue a new fresh token after every access token expiry and have the lifetime of the token extended each time. Currently the closest option I can see it to combine an absolute expiry of say a year with an inactivity expiry of 2 weeks.
Currently I am using only the inactivity expiry which is fine. However I have lost the perceived added security of the refresh token rotation and any refresh tokens in the browser due to the new standards for browsers.