New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TouchRequiredSession generates new refresh token when access token is expired #34
Comments
"I am noticing that the refresh-token is rotated when the access token is expired and the refresh token is not. " I'm not sure I understand :) Which tokens are changed and which should stay the same? |
If the session is expired, then to prolong the session, it has to be first re-created using the refresh token - which "consumes" it. Hence a new one is created. I suppose the question is, should |
Hi @adamw. I am trying to setup my application such that I have a short lived access-token (15min) and a longer lived refresh-token (12hrs). I want the entire session to after 12hrs from initial login, but allow the access-token to be refreshed as needed within that time window. I might be misunderstanding the documentation, but it sounds like What I am noticing is that the refresh-token is being rotated each time the access-token, and when this happens the expiry is also extended another 12hrs. The result will be that the session will not expire until there is 12hrs of inactivity. Currently I don't see a difference in behavior between using |
Well, unfortunately when the session is expired and re-created, both tokens are currently re-created. The difference between For your use-case, possible solutions are:
Of course, the third one would be best :) |
@adamw Thanks so much for the clarification. I completely misunderstood |
I am using touchRequiredSession with refresh tokens and custom headers. I am noticing that the refresh-token is rotated when the access token is expired and the refresh token is not. It is my understanding that using touch should not result in a new refresh token, only a new access token. I verified that the refresh token was being rotated with an extended expiry in the data store.
I could be wrong, but it seems like requiredSession(), which is called by touch, always does the rotation when expired. https://github.com/softwaremill/akka-http-session/blob/master/core/src/main/scala/com/softwaremill/session/SessionDirectives.scala#L81
The text was updated successfully, but these errors were encountered: