Server extension to refresh OAuth token #3
Comments
|
Random thought: is there a maximum time a token can be renewed? If yes we need a bit of UI glue to tell the user that they are out of time and need to perform above steps. |
|
Not sure what the exact question is, but it looks like we're using the defaults from django-oauth-toolkit for token expiration. The access token will expire 10 hours after it's issued, and the refresh token never expires. |
|
Ok. Sorry for the imprecise question. Your answer did contain the information I was looking for. Sounds like we can use the refresh token forever and ever to keep getting a new access token (that will be valid for the next ten hours). |
|
Sorry, that's not entirely correct... With our current configuration, refresh tokens have an indefinitely long lifetime – but they are rotated. That is to say: once a particular refresh token is used, it no longer possible to use it again. A successful refresh will return a new access token – and a new refresh token. Thus, the process of refresh can be repeated indefinitely, but each refresh token is single-use. |
|
Thanks for explaining. I update both the auth and refresh token after getting a new one. Work on this is happening in https://github.com/OpenHumans/jhoauth-refresh Current state of the jhoauth-refresher is included in the custom image that #15 brings in. |
Currently the only way to renew your token is to:
Pretty tedious. We should install a server extension that refreshes the token periodically so that it is always valid.
The text was updated successfully, but these errors were encountered: