Refresh Token lifetime greater than Session Lifetime

Hello, I have a question regarding the behavior of user sessions with the refresh token’s token_lifetime set to 3 years and the Session Lifetime at the tenant level set to 1 year.

Does this refresh token configuration make sense for 3 years, knowing that after a year of having logged in, the user will be forced to re-enter their credentials anyway? Would this configuration have any practical use?

Hello @lbarbosa !

Your understanding is correct in that regardless of if the refresh token lifetime is 3 years, users will be forced to re-auth at the end of the session lifetime. In this context it doesn’t really have any practical use.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.