Hello guys I am still struggling with the refresh thing I m Ory Community #ory-network

Hello guys, I am still struggling with the refresh...

broad-processor-55988

05/06/2022, 6:37 AM

Hello guys, I am still struggling with the refresh thing. I’m not sure if I don’t understand whats going on but I tried to add the

refresh

query parameter using this github repo (https://github.com/ory/kratos-selfservice-ui-react-nextjs) and set session lifespan in 1m. I did some console logs to see what’s going on and from what I can see, the refresh property is not set to true, even if it is defined as true in query params. Am I missing some configuration stuff or something ?

high-optician-2097

05/06/2022, 8:08 AM

@User sorry to hear you’re having trouble. Could you briefly explain what you expect the system to do, like: “I want that the user re-confirms their session” or “I want to extend the lifetime of the user’s session”

broad-processor-55988

05/06/2022, 8:12 AM

@User so currently we have custom SSO service which we want to migrate to Ory as it is old and unmaintained. Our functionality is based on AT/RT and in our website, if the AT is expired, we renew it based on the existing RT and this is what we want to achieve. We want to keep the user logged in as much as we can by extending current session. And we are planning to launch a mobile app where we would like to do the same: login once, then stay logged in.

broad-processor-55988

05/06/2022, 8:12 AM

I know Ory works differently but I am curios if I can achieve same thing.

high-optician-2097

05/06/2022, 8:16 AM

In Ory Kratos you do not need refresh and access tokens. Instead, you get an Ory Session Cookie and Ory Session Token. Those do not need to be refreshed and you can revoke the user’s logout at any time. What you describe is kind-of-oauth2 but if you have only one app then Ory Session Cookies/Tokens are the most secure and best way you can implement session auth

high-optician-2097

05/06/2022, 8:17 AM

We also have an OAuth2 product but I don’t think your use case warrants the use of it as it OAuth2 really really complicated and for very advanced use cases. If you ever need OAuth2 later on, you can put it on top of the other Ory stuff and get it for free 🙂

broad-processor-55988

05/06/2022, 8:17 AM

So you say that I just have to set a long session lifespan ?

broad-processor-55988

05/06/2022, 8:18 AM

And that would be the alternative to what we have atm ?

magnificent-energy-493

05/06/2022, 9:37 AM

Hey @User Exactly you just have a very long session. The refresh token in Oauth2 based flows is mainly to have a mechanism for loggin out (invalidating) sessions. You dont need that with Ory since as Aeneas mentioned above you can revoke the users access any time with Ory Session (cookie / token)

magnificent-energy-493

05/06/2022, 9:40 AM

I am doing a little writeup of this topic, you can already check out a preview (still in editing phase but open for feedback 🤗 )

broad-processor-55988

05/06/2022, 9:56 AM

Hey @User, So basically somehow the AT/RT strategy applies to session but in a different way (more manageable and without needing to refetch AT/RT on the client side) . This is what I understood from this article. I think that this article is pretty good overall but I would maybe add an example for better understanding ? It is just an idea.

3 Views

Open in Slack

Previous Next