# HG changeset patch # User Kim Alvefur # Date 1690155014 -7200 # Node ID d8622797e315007a758a70a6bc941556bcf6e28c # Parent 59d5fc50f60221ec2102fadaddb353b6db46d10b mod_http_oauth2: Shorten default token validity periods With refresh tokens, short lifetime for access tokens is not a problem. The arbitrary choice of one hour seems reasonable. RFC 6749 has it as example value. One week for refresh tokens matching the default archive retention period. This means that a client that remains unused for one week will have to sign in again. An actively used client will continually push that forward with each used refresh token. diff -r 59d5fc50f602 -r d8622797e315 mod_http_oauth2/README.markdown --- a/mod_http_oauth2/README.markdown Sun Jul 23 02:56:08 2023 +0200 +++ b/mod_http_oauth2/README.markdown Mon Jul 24 01:30:14 2023 +0200 @@ -100,8 +100,8 @@ The defaults are recommended. ```lua -oauth2_access_token_ttl = 86400 -- 24 hours -oauth2_refresh_token_ttl = nil -- unlimited unless revoked by the user +oauth2_access_token_ttl = 3600 -- one hour +oauth2_refresh_token_ttl = 604800 -- one week ``` ### Dynamic client registration diff -r 59d5fc50f602 -r d8622797e315 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Sun Jul 23 02:56:08 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Jul 24 01:30:14 2023 +0200 @@ -101,8 +101,8 @@ local tokens = module:depends("tokenauth"); -local default_access_ttl = module:get_option_number("oauth2_access_token_ttl", 86400); -local default_refresh_ttl = module:get_option_number("oauth2_refresh_token_ttl", nil); +local default_access_ttl = module:get_option_number("oauth2_access_token_ttl", 3600); +local default_refresh_ttl = module:get_option_period("oauth2_refresh_token_ttl", 604800); -- Used to derive client_secret from client_id, set to enable stateless dynamic registration. local registration_key = module:get_option_string("oauth2_registration_key");