Expiration time per client


#1

Hi guys!
I have a simple question. At this moment, access token life is configured globally. Would you consider set an expiration access token time different per client? (using global if not defined).
It’s not the same an access token for a mobile application (implicit or authorization code) than for a server side app (client credentials).

Thanks in advance!


#2

That’s not possible, considered bad practice, and an anti-pattern - and here’s why:

  1. Implicit flow is discouraged (https://tools.ietf.org/html/rfc8252) and should be replaced with authorize code flow using public clients on PKCE (currently not supported but will land in 1.0)
  2. If you use the auth code flow you have refresh tokens so you don’t need long living access tokens

Hope that helps!