Hi @bryceb
Thank you for reaching out to us!
After reading through your use-case, I would agree that configuring Refresh Token Rotation would be the best course of action. It appears that the users are being force to re-authenticate after 15 days of not using the application, after which the refresh token is expired and a new one needs to be issued.
Maintaining the Maximum Refresh Token Lifetime at 1 year should ensure that the session persists if the users periodically login and trigger the token rotation, and the refresh tokens will only expire after the set period of time.
Leaving these documentations here in case they come in handy, to you and other Community members:
- Configure Refresh Token Expiration;
- Refresh Token Rotation;
- Quick question about refresh tokens and sessions - #3 by nik.baleca;
- Refresh token usage.
Hope this helped!
Gerald