[
https://issues.apache.org/jira/browse/OFBIZ-13212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17947597#comment-17947597
]
ASF subversion and git services commented on OFBIZ-13212:
---------------------------------------------------------
Commit 88c5106fef4e80cf089ed1ba0f00ae7026df0d15 in ofbiz-framework's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=88c5106fef ]
Improved: Authentication refresh token mechanism feature (OFBIZ-13212)
The refresh token validity is set to 84,600 seconds, ie almost a day (23,5
hours).
That sound too much to me. I believe 8 hours, or even less, would be enough.
People are rarely straight working more on a Single-Page Applications (SPAs)
or a mobile application which are mostly what the consumers of ID tokens do
as explained by
https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/#Token-Types
For security reason, this sets security.jwt.refresh.token.expireTime to 28800
seconds, ie 8 hours.
> Authentication refresh token mechanism feature
> ----------------------------------------------
>
> Key: OFBIZ-13212
> URL: https://issues.apache.org/jira/browse/OFBIZ-13212
> Project: OFBiz
> Issue Type: Improvement
> Components: framework/webapp, rest-api
> Reporter: Arashpreet Singh
> Assignee: Jacques Le Roux
> Priority: Major
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
