Refresh token: expire after a certain interval?

[jez9999]

We're currently using refresh tokens with the following setup:

    // Allow use of sliding refresh token, which changes handle every refresh request
    AllowOfflineAccess = true, // Client requests scope 'offline_access' to be issued a refresh token
    AccessTokenLifetime = 3600, // 1 hour
    AbsoluteRefreshTokenLifetime = 0,
    SlidingRefreshTokenLifetime = 1296000, // 15 days
    RefreshTokenExpiration = TokenExpiration.Sliding,
    RefreshTokenUsage = TokenUsage.OneTimeOnly,
    UpdateAccessTokenClaimsOnRefresh = true

We want to keep using the sliding token expiration, but we want to allow for the client making several quick requests in succession with the same refresh token by having it expire after, say, 1 hour instead of immediately. My understanding is that if we change RefreshTokenUsage to TokenUsage.ReUse, the refresh token won't expire at all, but OneTimeOnly makes it expire immediately. Is there a way we can achieve this "expire after x interval" behaviour?

[brockallen]

https://leastprivilege.com/2020/06/29/refresh-tokens-in-identityserver4-v4/

[jez9999]

@brockallen Was the "mark a refresh token as consumed rather than delete it from the DB" behaviour implemented in version 4.0.1 or something? On the version 3.x we're using, it actually is deleting it.

[leastprivilege]

yes. Starting with v4

[jez9999]

@leastprivilege Is there any guide for migrating from identityserver 3.x to 4.x?

[leastprivilege]

#4592

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.