Refresh token custom expiration

[fgirardey]

Hi,

Is there a way to configure the refresh token expiration at login time?

I would like to add a feature to my product where a super administrator could force its users to have a short session. I don't want to handle many clients and treat that customization at refresh time. Is it even possible?

Thanks

[vinckr]

Hello @fgirardey

I think you are rather looking for a project like Ory Kratos which is more focused on IAM and session management.

See this blogpost, specifically the section on "Session Management" why handling sessions with OAuth2 is complex / not ideal.