问题
I used microservices, Currently am using JWT access token to access. But access token epired with certain time. To overcome this scenario I implemented refresh token to renew the expired access token. Now I want to implement no restriction for refresh token's lifetime span. How to achieve this?
Note: Am using Identity server 4 for JWT token generation
回答1:
Looking into the code, validating refresh token lifetime, I see there just
return (now > creationTime.AddSeconds(lifetime));
So the answer is: it's not possible to set it unbounded.
Nevertheless you are free to change the default value of 2592000 seconds / 30 days to something longer. Just set
AbsoluteRefreshTokenLifetime = <your_desired_value>
in (each) client configuration in your Identityserver
回答2:
As documented, set RefreshTokenExpiration = Sliding and AbsoluteRefreshTokenLifetime = 0.
The DefaultRefreshToken service will accept that as indefinite slide. Relevant code:
// if absolute exp > 0, make sure we don't exceed absolute exp
// if absolute exp = 0, allow indefinite slide
var currentLifetime = refreshToken.CreationTime.GetLifetimeInSeconds(Clock.UtcNow.UtcDateTime);
var newLifetime = currentLifetime + client.SlidingRefreshTokenLifetime;
// zero absolute refresh token lifetime represents unbounded absolute lifetime
// if absolute lifetime > 0, cap at absolute lifetime
if (client.AbsoluteRefreshTokenLifetime > 0 && newLifetime > client.AbsoluteRefreshTokenLifetime)
{
newLifetime = client.AbsoluteRefreshTokenLifetime;
}
refreshToken.Lifetime = newLifetime;
Set SlidingRefreshTokenLifetime to a longer time, e.g. one month.
With those settings the user can refresh the token indefinitely, with one restriction: the user can't be inactive for more than a month.
You can adjust this value to an acceptable expiration time for you.
来源:https://stackoverflow.com/questions/56629810/no-restriction-for-refresh-token-lifetime-span-in-identity-server-4