Hello, I have a question regarding the behavior of user sessions with the refresh token’s token_lifetime set to 3 years and the Session Lifetime at the tenant level set to 1 year.
Does this refresh token configuration make sense for 3 years, knowing that after a year of having logged in, the user will be forced to re-enter their credentials anyway? Would this configuration have any practical use?
Your understanding is correct in that regardless of if the refresh token lifetime is 3 years, users will be forced to re-auth at the end of the session lifetime. In this context it doesn’t really have any practical use.