Increasing toked expiration time.

[arminvburren]

Hello,

From what I understand the expiration time is given by the following function, and it is 3600 right now :

    response = RedirectResponse(make_https_if_not_local(request.url_for("login")))
    response.set_cookie(
        "user_session_cookie",
        tokens["access_token"],
        expires=int(datetime.now().timestamp() + tokens["expires_in"]),
        httponly=True,
        secure=False,  # ❌ Set this to `True` in production !
    )

How can i have the token last longer (so that users don't have to log in every hour) ?
Is it just enough to set a later "expires" or is there another param to change so that it's also valid server-side ?

P.S. other question: what exactly does secure = True ?

[frankie567]

Hi @arminvburren 👋

The expiry time is embedded in the token itself (it's a JWT). It means that you can't increase the lifetime of the token. What we do here is to make the cookie expires at the same time as the token itself.

Currently, it's not possible to change the lifetime of the access token, but it's something that we may add in the future. That said, Fief stores a user session on its side, so if you redirect a user to the Fief login page, their session will be recognized and they will be automatically redirected and authenticated without having to do anything.

As for the secure option, it corresponds to the Secure flag of the cookie. If set to True, it means this cookie is only forwarded by the browser to the server if the connection is HTTPS. It's critical in terms of security to be sure a malicious actor can't steal the access token while the request is going through the internet. However, during local development, you usually don't have HTTPS setup, so we can set it to False for convenience.

[arminvburren]

Hello, thanks for the answers!

Currently, it's not possible to change the lifetime of the access token, but it's something that we may add in the future. That said, Fief stores a user session on its side, so if you redirect a user to the Fief login page, their session will be recognized and they will be automatically redirected and authenticated without having to do anything.

How long does the fief session last ? I think I understand but does redirecting directly to login page wouldn't be a bit tricky since authentification is optional on my website ? I guess in the current setting would have to use a longer cookie to track the previous login, manually check if it's here on each page, and if it is here (and only if it is) redirect to the login page, which would still be a small inconvenience to the user.
Anyway ping me if at some point you add an option server-side to make the JWT last longer!

[frankie567]

The Fief session lasts for 30 days by default.

I think I understand but does redirecting directly to login page wouldn't be a bit tricky since authentification is optional on my website

Hmm, I see! The other solution (which is a bit more complex) is to create your own token on your server. This token would be tied to the Fief access token, and also the refresh token; which would allow you to get a fresh access token in the background. This is more or less what I do to maintain the session in the Fief admin dashboard:

• https://github.com/fief-dev/fief/blob/main/fief/models/admin_session_token.py
• https://github.com/fief-dev/fief/blob/main/fief/dependencies/admin_session.py

[arminvburren]

Hello, so I'm coming back on this issue which is my biggset one as of now.

To be honest I've tried reading the code and I don't se at all how to start implementing this.. is the codes in the iles linked here enough to get the result or some more logic is needed ? I'm not even figuring out where in there there is the logic to get the refresh token in these files. IF you could expand a bit on how I could implement this that would be great.

Also are you still planning to put the expiration duration as an option in the fief dashboard ? I don't wanna come across as too demanding since it's already great to have all of this for free, but it would seems like a quite valuable feature for your project, possibly useful for more use cases than mine 🤷‍♂️ ?

[jhamman]

Just swinging by to give a +1 to this feature. I would be fine setting the expiration time in either the Fief dashboard or our API.

[arminvburren]

Hello @frankie567 could you have a look at this issue and give some first steps of implementing an increase of user login time (or adding the functionality in the dashboard) ?

This is the biggest obstacle for developping my website with your tool, since some early users have started complaining about it. Also I am not the only one to talk about since there's @jhamman, and honestly it seem like a quite important feature for your project.

Regards,

[arminvburren]

(also the link you gave are not working anymore)

[frankie567]

Hi @arminvburren 👋

Yes, that's something that's still on my mind. I've put it at the top of my priority list.

Meanwhile, I've updated the default access token lifetime on Fief Cloud to 24 hours. It should be a good trade-off between security and convenience. I hope it'll ease things on your side while the feature is being worked on.

[frankie567]

Hello there 👋

With the latest release, you can customize access token, refresh token and authorization code lifetimes per client.

[arminvburren]

Hello, this is awesome, thank you !
Armin