We are using refresh tokens to obtain access tokens with Auth0.
We want to change the refresh token setting from a method using “Absolute Lifetime and Inactivity Lifetime” to a method using “only Inactivity Lifetime”:
Before:
・Refresh Token Rotation
enabled
・Refresh Token Expiration
・Absolute Expiration
ON (31536000 s)
・Inactivity Expiration
ON (31535999 s)
↓↓
After:
・Refresh Token Rotation
disabled
・Refresh Token Expiration
・Absolute Expiration
OFF (31536000 s)
・Inactivity Expiration(no change)
ON (31535999 s)
I have a few questions.
Aftter applying new setting, would the refreshToken currently used by users be invalid?
If so, I assume that all of the app users need to re-authenticate when they have to refresh access tokens. Are there any solutions to avoid this problem?
Disabling refresh token rotation is NOT recommended. This is for security. If a refresh token is somehow leaked and used, the refresh token rotation will prevent additional compromise. If you turn off refresh token rotation, and an attacker gets a refresh token, they have a lifetime supply of access tokens.
And if you turn on rotation, you cannot disable the absolute expiration.
I do not think that changing the settings invalidates the current refresh tokens or sessions, but I haven’t tested that.
I’d just set the absolute expiration to the maximum time (1 year maybe?)
Although I understand that disabling refresh token is not recommended,
our team give priority to the seamless user experience in our app (use only Inactivity Expiration).
Thanks, please let me know if you have additional info.