Refresh-token-revocation (Section)#
Path: /profiles/profile/settings/authorization-server/refresh-token-revocation
Settings related to refresh-token revocation after it has been used. Only applies if reuse-refresh-tokens is false.
Parameters#
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| grace-period | uint16 | optional | 0 | A period, in seconds, in which refresh-tokens are still considered valid even after being utilized. If set to 0 (default), no grace period is allowed and the token is revoked immediately. Note: longer grace periods widen the window in which a leaked refresh token can be replayed; keep this value as short as the client retry behaviour requires. |
| revocation-max-retries | uint16 | optional | 2 | Maximum number of refresh-token revocation retries after the grace-period has elapsed. |