https://www.ory.sh/ logo
Join Slack
Powered by
Hi All: How to clear expired tokens?
# talk-hydra
h
Hi All: How to clear expired tokens?
g
Hi @hallowed-postman-21092, I think this command can help you, 
hydra token flush
check the documentation for more options (flags). https://www.ory.sh/docs/hydra/cli/hydra-token-flush
h
Thanks @gifted-salesmen-20057, This command can clear refresh token, right?
g
No, it doesn't clear the refresh token. Refresh tokens cannot be flushed, as they are deleted automatically when performing the refresh flow.
h
Is that mean if I do not use refresh flow. The refresh will be not completely remove, right? Example like call to get token / refresh and then call to get token again with prompt=login to skip the steps etc
@gifted-salesmen-20057 Not quite sure what is a performing the refresh flow? If you mean API to exchange for a new refresh token, It does not clear an old refresh token. Just only mark inactive.
g
Not quite sure what is a performing the refresh flow?
https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant#refresh-token-flow
If you mean API to exchange for a new refresh token, It does not clear an old refresh token. Just only mark inactive.
Yes, I mean the API to exchange for a new refresh token. I will have to check if it only marks it as inactive or deletes it.
Hi @hallowed-postman-21092, So in Hydra 2.0 
hydra token flush
is removed instead of that, you can use 
hydra janitor --token
to flush the expired token (access as well as refresh token). If you want to perform token clean-up, use the 
hydra janitor
check this doc. While using the command, don't forget to add extra parameters' / flags like 
--refresh-lifespan 1s --access-lifespan 1s
you check description for this flag in the docs. This will remove the access token as well as the refresh token, which satisfy the above flags. example (
hydra janitor --tokens $DSN --refresh-lifespan 1s --access-lifespan 1s
) Using the 
hydra token flush
there also some flags with which you can check if it deletes the refresh token or not.
h
Thank you @gifted-salesmen-20057 for helping here 🙂
h
@gifted-salesmen-20057 Thanks for suggestion. It will be related to my previous question. I was already use the 
hydra janitor
, but in the production the expired refresh not delete at all (I assume from column 
active=false
). I not clear about 
refresh-lifespan 1s
parameters meaning It will be set a new expiration or delete if refresh younger than 1s. However, I spent much more time to understand 
janitor
to remove data, but it not delete old data as I expected. And I see it remove active refresh token, too. Could you please confirm for this? Because I prepare the next command to clean data with parameter 
--limit
to delete more data. Because sizing for refresh token that contain 
active=false
is around ~30GB. I needto delete it all. FYI, I still using Hydra v1.11.8 Next command: 
hydra janitor $DSN --tokens --keep-if-younger 23h --access-lifespan 1h --refresh-lifespan 730h --limit 1000000
FYI, We got complaint from our users that effect with my mistake to run 
janitor
that delete active refresh token. @high-optician-2097 Could you please confirm about janitor will be delete only expired refresh token?
g
It will be related to my previous question. I was already use the 
hydra janitor
, but in the production the expired refresh not delete at all (I assume from column 
active=false
). I not clear about 
refresh-lifespan 1s
parameters meaning It will be set a new expiration or delete if refresh younger than 1s.
As I have checked in the database, there are no records. When I checked with some random string on 
introspect
, I also got 
active=false
, which means if there is no token, it gives 
active=false
, so you cannot determine if it was deleted or not. Check out the below screenshot.
I not clear about 
refresh-lifespan 1s
parameters meaning It will be set a new expiration or delete if refresh younger than 1s.
I also think it will delete the refresh token, whose lifespan is younger than 
1s
. I will check the previous question, command check it, and let you know.
h
@gifted-salesmen-20057 Thanks for help me. One question 
janitor
don't have an option to delete only expired, right? I will try to check refresh-lifespan option an test on the local.
3 Views
Open in Slack
PreviousNext
Powered by