Refresh Tokens without offline_access scope

By: Rui Engana Account Admin 25 Nov 2020 at 4:07 a.m. CST

4 Responses
Rui Engana gravatar
Gluu Team, is there a way to configure the OP to send a refresh token without the RP explicitly requesting the offline_access scope? Also, where can we define the refresh token strategy? I am looking specifically for the 2 perspectives below: 1. Token Strategy: renew refresh token on each use vs. single refresh token with multiple uses 2. Refresh Token TTL: refresh token for X days and new issued refresh tokens will always keep that fixed TTL as exp date vs. moving TTL window, where each refresh token allows an extra X days from token issuance. Thanks! Rui
Rhel 8.0
closed

Answers

By Michael Schwartz Account Admin 29 Nov 2020 at 9:09 p.m. CST

Copy
Michael Schwartz gravatar
There is a property that disables the requirement for the offline scope. We'll have to look. that up. I can't remember off hand. Your other requirements need research. If it's not possible, we can put it in the development queue for Janssen.

By Rui Engana Account Admin 30 Nov 2020 at 3:09 a.m. CST

Copy
Rui Engana gravatar
Hi Mike, thank you for searching into this. Regarding 2, it's not a hard requirement for now. We mainly want to know available options for Refresh Tokens strategy. Kind regards, Rui

By Michael Schwartz Account Admin 08 Dec 2020 at 9:15 a.m. CST

Copy
Michael Schwartz gravatar
BTW, the oxAuth JSON property is called `forceOfflineAccessScopeToEnableRefreshToken` @Vadim.Saratovtsev : Can you open two issues in Janssen to track the good ideas for refresh token policy?

By Vadim Saratovtsev user 11 Dec 2020 at 11:01 a.m. CST

Copy
Vadim Saratovtsev gravatar
Enhancement requests for token renewal and token refresh TTL have been created on JanssenProject GitHub Issues. We will continue to monitor progress of the requests and update everyone involved. https://github.com/JanssenProject/jans-auth-server/issues/14 https://github.com/JanssenProject/jans-auth-server/issues/13

Post an answer