Refresh token absolute expiration duration

Just wanted to verify one simple detail regarding refresh token absolute expiration with token rotation enabled based on the following scenario on a mobile app.

User signs in and gets a refresh token with X days lifetime.
After one day we silently make a call to refresh the tokens and we get a new access and refresh token. The question is will the new refresh token have X days lifetime or X-1 days lifetime? Meaning it inherited the previous token’s lifetime and inevitably will force the user to sign in after X-1 days?

Thank you

Hi @ioannis.k

It’s a tricky one :slightly_smiling_face:
I read the documentation multiple times and each time came to a different conclusion. :smile:

I found this text in the following documentation that seems to exactly answer your question.

The Absolute Expiration of the rotating refresh token is defined on creation and is not changed, even with an exchange.
Configure Refresh Token Expiration

I interpret this as, Even though you are getting a new refresh token on exchange, the absolute expiry is calculated based on the first refresh token issued in the token family. Meaning after the expiry it would not work and user needs to login again.
So, based on this I would say you get X-1 days of lifetime.

I might be wrong still. :man_shrugging:

2 Likes

Thanks for the response @pazel. I think I will need to test it and see.

1 Like