|
|
|
|
|
|
by sascha_sl
1362 days ago
|
|
|
If you mean access and refresh tokens - both usually have a lifetime in the signed payload. Your access/ID token is short-lived (~5 minutes). This token is trusted without confirming if the user still has access. Your refresh token has a longer lifetime (hours to months) and can be used to trade for another access token (and a new refresh token, invalidating the old one), but every time you do this trade your authentication server can also check if the user still exists, is not banned, has not signed out and still has the same claims (username, email, groups...) and either not issue a new token or a token with different claims. There are proxy servers that will do this entire thing in the background for you and hand you the claims of the current access token in HTTP headers. |
|
|