Managing refresh tokens

Feature Requests
1

I have an increasing number of refresh tokens, which I have to delete from time to time when they are older then one week.
From my point of view, that activity should not exist.

A refresh token will be deleted, when logging of from HA.
But some of my android apps like wallpanel and HA creates new tokens for every new logon as I configured a display user, where the header and menu button is hidden via CCH.
These apps will not explicitly logoff and so the old refresh token keeps in the list.

Displays, the family and myself have increased the number of these apps.
And none of them, even if the menu would be available, would tab on menu button, User, log off.
Last but not least I prefer to avoid giving everyone access to the side bar.

Solution approaches:

  • Delete old unused refresh tokens after a certain time.
  • Create a service which deletes old tokens. This could be used in an automation
2

sounds like an good ider :slight_smile:

3

I definitely think this is a good idea.
Or - to put it another way - what is the advantage of a token if the end device is no longer using it?
From a security point of view, that means it is more likely for an old token to be reused for an unintended use.
So, perhaps an approach would be to determine when a session has ended and revoke / delete that token? The end user has the option to save their password on the client device - I presume that allows a new token to be recreated automatically?
This would allow for touchscreen devices that are left continuously on for days, as well as my backup laptop which may not be used for days…

1 Like