Open junwoo777 opened 11 months ago
No, not security through obscurity. After all the source code is public and you were able to see it. It's just something that got missed. See https://django-oauth-toolkit.readthedocs.io/en/latest/settings.html#access-token-expire-seconds which is in the docs as an example of a closely related expiration that is also defaulted to 36000 seconds.
A documentation PR would be appreciated.
The current default setting is 36000 seconds, but it is not documented that this value can be configured. Is the omission of ID_TOKEN_EXPIRE_SECONDS from the documentation intentional for security reasons?