Make oauth2 tokens expiration time configurable #42738
Labels
0. Needs triage
Pending check for reproducibility or if it fits our roadmap
enhancement
feature: authentication
Currently access tokens that are given out by Nextcloud hard coded to be vaild for 3600 seconds: https://github.com/nextcloud/server/blob/48628b90690d8204e7875d561b8115c526cc9176/apps/oauth2/lib/Controller/OauthApiController.php#L203-L223C21
RFC 6750 states that: https://datatracker.ietf.org/doc/html/rfc6750#section-5.2
Following these guidelines, a server administrator might want to reduce the validity of a token, to a shorter interval. Conversely, there may also be situations in which a server administrator may want to extend the expiration time of a token, following careful consideration of the impact of such a decision.
I therefore propose that we make the oauth2 access token validity time configurable. I am willing to submit a PR for this, if others think that this could be useful?
The text was updated successfully, but these errors were encountered: