Versions Compared

Version Old Version 4 New Version 5
Changes made by

Silvan Grüter

Rehan Agarwal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Both the id token and the access token usually are only valid for a number of seconds as indicated in the exp claim. In order to prolong the access token, there is the concept of a refresh token that can be used to request a new access token without the users interaction. This allows an application to act on behalf of the user even beyond the users interaction. This is done by issuing a refresh token to the application. The application then can exchange that refresh token for a new access token.

Refresh Token Settings

Managing the lifetime of a refresh token is crucial for maintaining an application's security and usability. Here, the terms absolute and sliding refer to the refresh token's expiration settings.

Absolute expiration is a fixed period after which a token will expire, regardless of the user activity. Once set, the expiration time cannot be changed. This setting is crucial for scenarios where a strict policy on token lifetime is necessary due to security considerations.

For example, you might configure a refresh token to have an absolute expiration time of 30 days. Regardless of how often the user uses the token within those 30 days, it will expire at the end of that period.

Sliding expiration extends the expiration period of a token when newly issued (by the amount specified in the client configuration). This setting is useful for user experience, as active users do not need to re-authenticate or refresh their tokens as frequently.

For instance, if a sliding expiration is set for 5 days, and the user interacts with the application within those 5 days, the expiration time is reset to another 5 days from the last access, not exceeding a maximum limit if one is set (like 90 days).

Note

Important: You can combine the absolute expiration period with the sliding expiration period. Note that the absolute expiration serves as a hard limit of the tokens total lifetime. That means, that the sliding mechanism can extend the tokens duration, as long as it doesn’t exceed the absolute expiration period.

Scenarios

E-Goverment: An example might be a user filling out a tax form. In this case, security is of high importance. The following settings might be helpful: Absolut for 4 hours and Sliding for 1 hour. In this case, requesting a new refresh and access token can be done 4 times, as the absolute expiration is set for 4 hours and the sliding setting is set for 1 hour.

Enterprise: An example might be an employee working with Atlassian Jira. In this case, security is of high importance, and so is user experience. The following settings might be helpful: Absolute for 8 hours and Sliding for 1 hour. In this case, requesting a new refresh and access token can be done 8 times, as the absolute expiration is set for 8 hours and the sliding setting is set for 1 hour.

Consumer: An example might be a regular user browsing a social media platform like Instagram. The user experience takes precedence. The following settings are recommended: Absolut for 1 Month and Sliding for 1 hour. These settings allow for a significant number of 720 requests for a new refresh and access token, as the absolute expiration is set for 1 Month (~approx. 720 hours) and the sliding setting is set for 1 hour.

Self-Contained vs Reference Token

...