the client is console application,when login it shows a login url,the user need copy it to web browser to go on,after successful login,the browser shows a authentication code,the user copy it back to client and paste here,then client exchanges the code for token,the resulted token contains refresh token,but I do not save the refresh token because of security concerns,such that I need the access token's period of validity to be unlimited.
Asked
Active
Viewed 101 times
0
-
Sorry it's not clear what your question is. You seem to be a bit unsure how to use refresh/access tokens and perhaps the answers to [this question](https://stackoverflow.com/questions/3487991/why-does-oauth-v2-have-both-access-and-refresh-tokens) and [this question](https://stackoverflow.com/questions/38986005/what-is-the-purpose-of-a-refresh-token/39003201#39003201) might help? An access token of unlimited validity may do away with the need for a refresh token at all (but it depends upon your requirements/system architecture). – Brits Feb 17 '20 at 03:00
-
The refresh token is useless without the client secret. It is far less dangerous than an access token with an unlimited lifetime, which requires no further credentials to be used. In Hydra the token lifetimes are configured on the server. The client has no influence on them (as it should be). – Peter Feb 17 '20 at 09:07