'why the refresh token set 10 years to expire when design the app auth specification
I am design the app auth api with auth2.0, now I found some companies set the refresh token expire with 10 years! why design like that? it is a good practice? how long should I set the refresh token expire time?
I found the google oauth 2.0 refresh token never expired for native app: https://developers.google.com/identity/protocols/oauth2/native-app
Solution 1:[1]
It all depends on how often you want to to force the user login again and reauthenticate.
In some system you want the user to do this more often and in a system with for example 10 years refresh token, you don't want the user to have to login again after the first successful authentication.
Solution 2:[2]
It's a bad idea to set the liftime of refresh_token to 10 years like that you have a big security problem, the best implementation of refresh_token is when it is used the first time it should be revocked or a lifetime not much than access_token. see my other answer here
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Tore Nestenius |
| Solution 2 | GAOUL |