I think there is a bug when refreshing tokens; the expiration of the access token is set to the refresh tokens expiration value, not the acess tokens expiration.
In this screenshot you can see the state of the access tokens after one refresh. The old access token is revoked (and it has the correct expiration of 1 hr), but the new access token has an expiration of 1 month (which is the refresh tokens expiration).
The function AuthorizationServer:respondToAccessTokenRequest calls respondToAccessTokenRequest on the current grant type (which is RefreshTokenGrant) and passes in the accessTokenTTL to be set as the expiration. It gets the value from the array grantTypeAccessTokenTTL with a lookup of the grant type, which is refresh token. But it should be getting the access token's ttl.
I think there is a bug when refreshing tokens; the expiration of the access token is set to the refresh tokens expiration value, not the acess tokens expiration.
In this screenshot you can see the state of the access tokens after one refresh. The old access token is revoked (and it has the correct expiration of 1 hr), but the new access token has an expiration of 1 month (which is the refresh tokens expiration).
The function
AuthorizationServer:respondToAccessTokenRequest
callsrespondToAccessTokenRequest
on the current grant type (which isRefreshTokenGrant
) and passes in the accessTokenTTL to be set as the expiration. It gets the value from the arraygrantTypeAccessTokenTTL
with a lookup of the grant type, which is refresh token. But it should be getting the access token's ttl.