This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 88c5106fef Improved: Authentication refresh token mechanism feature
(OFBIZ-13212)
88c5106fef is described below
commit 88c5106fef4e80cf089ed1ba0f00ae7026df0d15
Author: Jacques Le Roux <[email protected]>
AuthorDate: Sun Apr 27 10:06:26 2025 +0200
Improved: Authentication refresh token mechanism feature (OFBIZ-13212)
The refresh token validity is set to 84,600 seconds, ie almost a day (23,5
hours).
That sound too much to me. I believe 8 hours, or even less, would be enough.
People are rarely straight working more on a Single-Page Applications (SPAs)
or a mobile application which are mostly what the consumers of ID tokens do
as explained by
https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/#Token-Types
For security reason, this sets security.jwt.refresh.token.expireTime to
28800
seconds, ie 8 hours.
---
framework/security/config/security.properties | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index 21d584bca0..1d365ea88d 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -150,7 +150,7 @@
login.secret_key_string=p2s5u8x/A?D(G+KbPeShVmYq3t6w9z$B&E)H@McQfTjWnZr4u7x!A%D*
security.jwt.token.expireTime=1800
# -- Time To Live of the refresh token send to the external server in seconds
-security.jwt.refresh.token.expireTime=84600
+security.jwt.refresh.token.expireTime=28800
# -- Enables the internal Single Sign On feature which allows a token based
login between OFBiz instances
# To make this work you also have to configure a secret key with
security.token.key
