The client secret is a confidential key used to communicate with the authorization server. Client secret example: 1912308468823890
The limitations for refresh tokens are:
- Non-rotatable: There's no limit to their usage as they never expire.
- Rotatable: There are certain limits to its usage:
- It'll stop being reusable after the defined lifespan.
- It can only be used once during its defined lifespan.
- It has a fixed lifespan and is shared among all refreshed tokens.
- The latest refresh token becomes invalid if you fail to generate the next rotatable refresh token.
For example:
- Set lifetime to 10 minutes.
- Complete OAuth, generate an access token, and refresh token 'A'.
- After five minutes, use refresh token A to generate a new access token and refresh token B.
- After seven minutes, use refresh token B to obtain a fresh access token. You'll receive an error stating that token B has expired, as its lifespan is calculated from the time A was generated.
You rotate your client secret to issue a refresh token and invalidate the previous token. This adds an additional layer of security.
To rotate the secret:
- Select OAuth Clients from the main menu.
- Select a client from your list.
- Beneath Refresh token behavior, select either:
- Non-rotatable, or
- Rotatable
- Specify the Refresh token lifetime. Either:
- Input a value directly.
- Use the arrows at the end of the row to increase or decrease the token duration.
Note: A 12-hour token would take 43,200 seconds as it's default value. The maximum is 365 days for a token to remain valid. Consult your company's security policies regarding this.
