mod_http_oauth2: Shorten default token validity periods
With refresh tokens, short lifetime for access tokens is not a problem.
The arbitrary choice of one hour seems reasonable. RFC 6749 has it as
example value.
One week for refresh tokens matching the default archive retention
period. This means that a client that remains unused for one week will
have to sign in again. An actively used client will continually push
that forward with each used refresh token.
--- a/mod_http_oauth2/README.markdown Sun Jul 23 02:56:08 2023 +0200
+++ b/mod_http_oauth2/README.markdown Mon Jul 24 01:30:14 2023 +0200
@@ -100,8 +100,8 @@
The defaults are recommended.
```lua
-oauth2_access_token_ttl = 86400 -- 24 hours
-oauth2_refresh_token_ttl = nil -- unlimited unless revoked by the user
+oauth2_access_token_ttl = 3600 -- one hour
+oauth2_refresh_token_ttl = 604800 -- one week
```
### Dynamic client registration
--- a/mod_http_oauth2/mod_http_oauth2.lua Sun Jul 23 02:56:08 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Jul 24 01:30:14 2023 +0200
@@ -101,8 +101,8 @@
local tokens = module:depends("tokenauth");
-local default_access_ttl = module:get_option_number("oauth2_access_token_ttl", 86400);
-local default_refresh_ttl = module:get_option_number("oauth2_refresh_token_ttl", nil);
+local default_access_ttl = module:get_option_number("oauth2_access_token_ttl", 3600);
+local default_refresh_ttl = module:get_option_period("oauth2_refresh_token_ttl", 604800);
-- Used to derive client_secret from client_id, set to enable stateless dynamic registration.
local registration_key = module:get_option_string("oauth2_registration_key");