Closed damianpeterson closed 1 year ago
mikey0000
commented
1 year ago Yeah they are working on changing that, I have similar issues with my home assistant integration. In my experience you need to refresh at least every hour, though I've not looked hard at the refresh token expiry time.
damianpeterson
commented
1 year ago Ah. That's a problem. I don't store access or refresh tokens on behalf of my users (it's cookied locally) and they tend to only use the app once a day to update their hour of power.
There's a large difference between a 10 year refresh token and a 1 hour one for my purposes. Kind of breaks the concept of refresh tokens.
I'd still like an official answer from @electrickiwi-nz though.
mikey0000
commented
1 year ago 
electrickiwi-nz
commented
1 year ago @damianpeterson - thanks for the question regarding the refresh_token - unfortunately our documentation is incorrect and we don't have a 10-year expiry on the refresh token it is currently set to 3 hours. There is work going on in the next couple of sprints to allow client-specific refresh_token timeouts. This will mean that we can define a refresh_token timeout to be specific to the application needs, like 5 days, etc...
The bearer token currently has a 20-minute session timeout which and so I would suggest you look to implement the refresh_token OAuth process flow as @mikey0000 pointed out so you can extend your sessions.
I will let you know once this implementation is done.
Cheers, Matt
damianpeterson
commented
1 year ago I look forward to the update. I'll leave this ticket open.
damianpeterson
commented
1 year ago @electrickiwi-nz it seems over the last couple of days the refresh token is lasting longer than 3 hours. Can you confirm what the new expiry time is?
electrickiwi-nz
commented
1 year ago @damianpeterson - sorry for the late response ... the team has been working through the adjustments to allow for the refresh_token expiry to be customised per client. This is now live and working with a 1 day refresh_token expiry for our Juice Hackers.
There was an issue where we made this expiry longer than a day which is why you would have seen the token lasting longer. This is now 1 day.
We hope that this provides a better experience for your app users while balancing UX experience and token security.
Cheers, Matt
damianpeterson
commented
1 year ago Unfortunately a 1 day expiry will fail half of the time assuming a customer returns to update their hour of power once a day. If they're a little bit later than the day before it will mean they have to go through the whole login process again.
You mentioned above, "There is work going on in the next couple of sprints to allow client-specific refresh_token timeouts. This will mean that we can define a refresh_token timeout to be specific to the application needs, like 5 days, etc..."
Is this still on the cards?
If not, can I please request that your default refresh expiry is more like 7 days (for my use case, others may desire longer). And can I please request that you update your developer documentation to reflect whatever it is because it currently says 10 years.
electrickiwi-nz
commented
1 year ago @damianpeterson - sorry for the late response. The refresh token should now be set to expire after 5 days. I hope this helps.
How long should a refresh token last? On your developer documentation you say:
"The access token is valid for 30 minutes and has to be refreshed after that to generate a new access token that is valid for another 30 minutes. The refresh token is valid for 10 years and can be used to refresh the access token at any time during this period."
I notice that access tokens are only valid for 20 minutes and have experienced having to log back in after less than a day of inactivity using a refresh token.
edit: to clarify, refresh tokens appear to be expiring in less than a day. Perhaps less than 8 hours. Which means it requires a full login to acquire new access and refresh tokens.