By: Rui Engana Account Admin 25 Nov 2020 at 4:07 a.m. CST

4 Responses
Rui Engana gravatar
Gluu Team, is there a way to configure the OP to send a refresh token without the RP explicitly requesting the offline_access scope? Also, where can we define the refresh token strategy? I am looking specifically for the 2 perspectives below: 1. Token Strategy: renew refresh token on each use vs. single refresh token with multiple uses 2. Refresh Token TTL: refresh token for X days and new issued refresh tokens will always keep that fixed TTL as exp date vs. moving TTL window, where each refresh token allows an extra X days from token issuance. Thanks! Rui

By Michael Schwartz staff 29 Nov 2020 at 9:09 p.m. CST

Michael Schwartz gravatar
There is a property that disables the requirement for the offline scope. We'll have to look. that up. I can't remember off hand. Your other requirements need research. If it's not possible, we can put it in the development queue for Janssen.

By Rui Engana Account Admin 30 Nov 2020 at 3:09 a.m. CST

Rui Engana gravatar
Hi Mike, thank you for searching into this. Regarding 2, it's not a hard requirement for now. We mainly want to know available options for Refresh Tokens strategy. Kind regards, Rui

By Michael Schwartz staff 08 Dec 2020 at 9:15 a.m. CST

Michael Schwartz gravatar
BTW, the oxAuth JSON property is called `forceOfflineAccessScopeToEnableRefreshToken` @Vadim.Saratovtsev : Can you open two issues in Janssen to track the good ideas for refresh token policy?

By Vadim Saratovtsev staff 11 Dec 2020 at 11:01 a.m. CST

Vadim Saratovtsev gravatar
Enhancement requests for token renewal and token refresh TTL have been created on JanssenProject GitHub Issues. We will continue to monitor progress of the requests and update everyone involved. https://github.com/JanssenProject/jans-auth-server/issues/14 https://github.com/JanssenProject/jans-auth-server/issues/13