How to set different expiry time for access and refresh tokens?

[ondrowan]

I'm implementing a server that supports pretty standard Auhorization Code flow. I'd like to generate both access and refresh tokens, the former with short expiry time, the latter with long expiry time. I kinda struggle with how to implement this. Since those tokens are tied one to another, I implemented a single Issuer (which I'm using with a Generic endpoint). From what I saw in examples and implementation of TokenMap, expiry time is taken from Grant that is passed to the issuer. This however implies that maybe I should implement different Issuer for both access and refresh grants? This however doesn't make sense either since I need to use different - and probably somehow hardcoded - expiry times for both of those tokens. Or perhaps I don't understand where this Grant instance comes from when implementing an Issuer.

On thing that confuses me on top of this is how to set different access and refresh token expiry times when using TokenMap. It seems to me that they are always set to the same expiry time and it cannot be changed.

Maybe this is also related to #117 and I'd be happy to help out with some examples once I understand how to implement this.

[HeroicKatora]

This however implies that maybe I should implement different Issuer for both access and refresh grants?

Yes, indeed. The expiry time in the Grant is a suggestion, what will be authoritative is what's stored in your issuer and returned on recover_*. (Though you should make an effort to provide the right duration to the user). The only standard way to communicate the refresh token's expiry time would be through [RFC7662](Token Introspection), however this hasn't been implemented as of now. So, there's no need to really return this different expiry time in any result other than store it internally within the issuer.

TokenMap doesn't have a setter for different expiry, however this should be simple enough to add. Willing to take a PR or have this open as a tracking issue of sorts.