Refresh token's time-to-live/expire time configuration

[zaniar]

How to configure refresh token's time-to-live/expire time?

In configuration.php, I only found:

    // Expire times of the different tokens which can be issued
    'fusio_expire_implicit'   => 'PT1H',
    'fusio_expire_app'        => 'P2D',
    'fusio_expire_backend'    => 'P2D',
    'fusio_expire_consumer'   => 'PT1H',

[chriskapp]

Yes, currently we have only these options to control the token expire time. Fusio has multiple endpoints where you can obtain an access token. The config maps to the following endpoints:

/authorization/token => fusio_expire_app
/backend/token       => fusio_expire_backend
/consumer/token      => fusio_expire_consumer

every token which you obtain at such an endpoint expires after the value in the config. I.e. the backend token expires after 1 hour.

[zaniar]

So, we do not have option to control refresh token's expire time yet?

[chriskapp]

Hi, yes this is correct. Currently the refresh token expire time is the fusio_expire_app time. Do you need to configure the token expire time in a separate config field?

[zaniar]

fusio_expire_app is also the expire time for access token right?

I have not confirm it yet, but I think the current refresh token expired at the same time with access token. If that was right, it should not be worked that way.

refresh token should lived longer that access token, so when the access token is expired, I can renew the access token using the refresh token.

I have an app that should refresh the access token when the access token become invalid. But It always say that the refresh token was invalid.

[chriskapp]

fusio_expire_app is also the expire time for access token right?

yes, correct.

I have an app that should refresh the access token when the access token become invalid. But It always say that the refresh token was invalid.

so if you request an access token, the response contains the expires_in timestamp.

{
  "access_token": "String",
  "token_type": "String",
  "expires_in": "String",
  "refresh_token": "String",
}

I would probably guess that in your case you have used the refresh token to late. That means the refresh token is also bound to the expires_in time, after that it is not longer possible to use the token. You could try to refresh the access token in i.e. expires_in - 60 seconds, so before the token expires. Then the refresh token should be still valid.

[zaniar]

I see.
In my case, I want to use refresh_token when access_token is expired.
Is there any standard way of using refresh_token?
I have played with API Platform a little bit before, and one of refresh token implementation it use have separate expire time for access token & refresh token.
Should it become Fusio's feature to have separate expire time for access token & refresh token? What do you think?

[chriskapp]

Yes, I think it is probably a good idea to separate the expire time of the refresh and access token. I think the best way would be to simply add a new config i.e. fusio_expire_refresh. Then the user could separately configure the expire time of the refresh and access token.

[chriskapp]

So in the latest release we have now a fusio_expire_refresh config where it is possible to specify the expire time of the refresh token.