Flor1an-dev
commented
5 years ago Hi, I think this is an important feature. As far as I understand the existing code, a user can stay logged in forever if he has a refresh_token. With every refresh, the user will receive a new access/id_token and a new refresh_token. It also doesn't matter if the current access_token has expired, it is still possible to generate a new access_token with the refresh_token.
The only chance to block a user is to remove all tokens of the user!
I think would be fine if the refresh token will have the option to be expired. I can do a PR if is your are agree with that. Sometimes is interesting have a refresh token with expire time. If we want to do a long live token with 60 days of inactivity and after this 60 days the user must relogin. Let me know if it's interesting for you and I can implement it.