This article aims to clarify the refresh token behavior. There can be a reason for an HTTP 400 error stating that the refresh token is invalid or expired, with the /token endpoint or users automatically signing out of the application.
- OIDC Applications
- Authorization Code
- Resource Owner Password
After authenticating and receiving a refresh token, the token's expiration date is based on its lifetime. When the refresh token is used and a new refresh token is provided, the expiration time will remain the same as the previous token. The expiration time of the refresh token can be determined by using the introspect endpoint.
On an org authorization server, the refresh token's lifetime is always 90 days, and there is no idle refresh token time.
On a custom authorization server, this can be modified to be between 10 minutes and 5 years or set to no lifetime (unlimited). Additionally, there is a setting for the tokens to expire after a certain period of not being used. This would mean that the access token and the refresh token would automatically expire if they are not rotated within that time.
Below is an example of an access policy on a custom authorization server and details regarding the access token and refresh token lifetime based on this policy.
- The access tokens being returned will only last up to 10 minutes. After 10 minutes, the access token will expire and it will require that a refresh token is used to retrieve a new access token that will last for 10 minutes.
- The refresh tokens will have a total lifetime of 45 minutes. After 45 minutes from the initial authentication, the refresh token will expire. At this point the user will be required to re-authenticate for a new set of tokens.
- If the refresh token is not used within 30 minutes, the token will expire and the user will be required to re-authenticate for a new set of tokens.
NOTE: The idle refresh token lifetime (expiration window) must be between the access token lifetime and the refresh token lifetime.
