Open jbagot opened 6 years ago
Hi, I think this is an important feature. As far as I understand the existing code, a user can stay logged in forever if he has a refresh_token
. With every refresh, the user will receive a new access/id_token
and a new refresh_token
. It also doesn't matter if the current access_token
has expired, it is still possible to generate a new access_token
with the refresh_token
.
The only chance to block a user is to remove all tokens of the user!
I think would be fine if the refresh token will have the option to be expired. I can do a PR if is your are agree with that. Sometimes is interesting have a refresh token with expire time. If we want to do a long live token with 60 days of inactivity and after this 60 days the user must relogin. Let me know if it's interesting for you and I can implement it.