betatim
commented
6 years ago Random thought: is there a maximum time a token can be renewed? If yes we need a bit of UI glue to tell the user that they are out of time and need to perform above steps.
Open betatim opened 6 years ago
betatim
commented
6 years ago Random thought: is there a maximum time a token can be renewed? If yes we need a bit of UI glue to tell the user that they are out of time and need to perform above steps.
madprime
commented
6 years ago Not sure what the exact question is, but it looks like we're using the defaults from django-oauth-toolkit for token expiration. The access token will expire 10 hours after it's issued, and the refresh token never expires.
betatim
commented
6 years ago Ok. Sorry for the imprecise question. Your answer did contain the information I was looking for. Sounds like we can use the refresh token forever and ever to keep getting a new access token (that will be valid for the next ten hours).
madprime
commented
6 years ago Sorry, that's not entirely correct...
With our current configuration, refresh tokens have an indefinitely long lifetime – but they are rotated. That is to say: once a particular refresh token is used, it no longer possible to use it again. A successful refresh will return a new access token – and a new refresh token. Thus, the process of refresh can be repeated indefinitely, but each refresh token is single-use.
betatim
commented
6 years ago Thanks for explaining. I update both the auth and refresh token after getting a new one.
Work on this is happening in https://github.com/OpenHumans/jhoauth-refresh
Current state of the jhoauth-refresher is included in the custom image that #15 brings in.
Currently the only way to renew your token is to:
Pretty tedious. We should install a server extension that refreshes the token periodically so that it is always valid.