> FWIW, in addition, those can be used together -- sliding & absolute.
Azure AD does both at this point. They used to do 90 days absolute, now it is a sliding, 72 hours by default I believe. Good discussion overall, would this be a good summary for the type of a client the spec is for: SHOULD NOT use refresh tokens unless the token endpoint mirrors user authentication or the OP supports expiration, rotation and revocation of refresh tokens On Sunday, July 21, 2019, 04:45:07 PM GMT+2, Brock Allen <brockal...@gmail.com> wrote: > IdentityServer allows a choice of behavior on refresh token expiration time. >It can have a absolute expiration time, or use a sliding window. FWIW, in addition, those can be used together -- sliding & absolute. Finally, refresh tokens can be re-use or one-time use only. These are all per-client settings. -Brock _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
