How can I get a new refresh token from FusionAuth?

dan

What is the best way to refresh a refresh token and auth token? I was under the impression that this API will help me do that. I could not find an API to get a new refresh token.

dan

In order to get a new refresh token, the user will need to log in again (or provide the username, password and application Id which you can then use with the Login API). See https://fusionauth.io/docs/v1/tech/tutorials/json-web-tokens#refresh-tokens for more information.

Based on the security needs of your application, you can set the lifetime of your refresh tokens (see the application.jwtConfiguration.refreshTokenTimeToLiveInMinutes setting here: https://fusionauth.io/docs/v1/tech/apis/applications) , but you can't get a new one without the user providing their credentials again.

bboure

Thank you Dan for your question/answer.
I was wondering how to maintain a user's session (i.e.: "remember me") as long as the user comes back frequently?
e.g: if the user is inactive for > 30 days (lifetime of refresh token), the user would have to login again.
but if the user comes back every few days, ideally we do not want to end the session every 30 days for UX reasons.

What is the recommended way of handling that?

Note: Sorry, I am quite new to JWT, I am still trying to understand how it all works.

dan

Hiya, no worries!

As mentioned in this github comment, we don't support continually renewing refresh tokens, as that essentially means that users remain logged in forever.

We do not currently issue a new refresh token during the refresh_token grant. If the refresh token you sent is valid you'll get a new access_token back. Once your refresh token expires, you'll need to request a new one by requiring the user to authenticate again.
If we were to issue a new - or "refreshed" (updated expiration) each time you used the refresh token to gain a new access token using the refresh_token grant - that would effectively provide a sliding window session. This would allow for a perpetual use token which we do not support.

Totally understand your UX concerns. There's a tension between ease of use and security that only you can balance.

I don't know the application or data you're working with, so I can't make firm recommendations. However, you can set the refresh token to have a long lifetime like 180 days. That is a setting in the tenant screen or tenant.jwtConfiguration.refreshTokenTimeToLiveInMinutes in the API. And then have the user log in after the refresh token has expired.

Please feel free to file an issue in the GitHub repo explaining the use case for perpetual use tokens. We can't commit to any implementation but we love to hear what customers want, and GitHub is what our engineering team uses to feed the development backlog.

dan

@bboure You may be interested in this new feature from the 1.17.0 release, which allows for a sliding window of refresh tokens:

Sliding Window Refresh Token Expiration. By default the expiration of a refresh token is calculated from the time it was originally issued. Beginning in this release you may optionally configure the refresh token expiration to be based upon a sliding window. A sliding window expiration means that the expiration is calculated from the last time the refresh token was used. This expiration policy means that if you are using refresh tokens to maintain a user session, the session can be maintained as long as the user remains active. This expiration policy must be enabled at the tenant level, and may optionally be overridden by the Application JWT configuration.