Hello guys, I am still struggling with the refresh...
# ory-network
Hello guys, I am still struggling with the refresh thing. I’m not sure if I don’t understand whats going on but I tried to add the
query parameter using this github repo (https://github.com/ory/kratos-selfservice-ui-react-nextjs) and set session lifespan in 1m. I did some console logs to see what’s going on and from what I can see, the refresh property is not set to true, even if it is defined as true in query params. Am I missing some configuration stuff or something ?
@User sorry to hear you’re having trouble. Could you briefly explain what you expect the system to do, like: “I want that the user re-confirms their session” or “I want to extend the lifetime of the user’s session”
@User so currently we have custom SSO service which we want to migrate to Ory as it is old and unmaintained. Our functionality is based on AT/RT and in our website, if the AT is expired, we renew it based on the existing RT and this is what we want to achieve. We want to keep the user logged in as much as we can by extending current session. And we are planning to launch a mobile app where we would like to do the same: login once, then stay logged in.
I know Ory works differently but I am curios if I can achieve same thing.
In Ory Kratos you do not need refresh and access tokens. Instead, you get an Ory Session Cookie and Ory Session Token. Those do not need to be refreshed and you can revoke the user’s logout at any time. What you describe is kind-of-oauth2 but if you have only one app then Ory Session Cookies/Tokens are the most secure and best way you can implement session auth
We also have an OAuth2 product but I don’t think your use case warrants the use of it as it OAuth2 really really complicated and for very advanced use cases. If you ever need OAuth2 later on, you can put it on top of the other Ory stuff and get it for free 🙂
So you say that I just have to set a long session lifespan ?
And that would be the alternative to what we have atm ?
Hey @User Exactly you just have a very long session. The refresh token in Oauth2 based flows is mainly to have a mechanism for loggin out (invalidating) sessions. You dont need that with Ory since as Aeneas mentioned above you can revoke the users access any time with Ory Session (cookie / token)
I am doing a little writeup of this topic, you can already check out a preview (still in editing phase but open for feedback 🤗 )
Hey @User, So basically somehow the AT/RT strategy applies to session but in a different way (more manageable and without needing to refetch AT/RT on the client side) . This is what I understood from this article. I think that this article is pretty good overall but I would maybe add an example for better understanding ? It is just an idea.