Problem with Refresh Tokens

Hello,
I am experimenting with a couple of Fully Kiosk web browsers on some Fire tablets and I was/am having some issues with them… So I have been doing experiments with the settings.

At some point, Kiosk was set to refresh and clear the cache, with trusted network login. Due to the interaction of several settings, this meant that the Kiosk was reloading each time…

Now I have a user with hundreds of Refresh tokens and another with probably thousands…

This is causing all sort of issues when trying to configure the profiles (slowness, hanging, etc)…

How can I delete them all? I have tried manually modifying auth file, but they keep re-appearing…

Thaks!

1 Like

The issue with Refresh Tokens has been there ever since they were first introduced.
They seem to jsut stay there forever and never are destroyed. I manually delete them when needed.
With that said, I’ve never had them cause a performance issue on even Raspberry Pi 3’s. It is more that they just hang around forever without self destroying after a set time of not being used, which I feel is a poor security decision.
If your “KIOSK” is always using the same credentials, you should just tell it to save the credentials and have an exception so the Home Assistant cookies / cache are not cleared. That will solve your issues with this and not cause a security issue as such. This is purely a setting in the browser and nothing to do with Home Assistant as such.
You can safely delete EVERY refresh token if you wish to. It just means any browser/mobile app that had saved credentials will ask for credentials at next login and you will just have to tell it to save them again as a once off.

1 Like

Sorry for such a delay. My problem is that there are hundreds…

Yeah, I collected quite a lot too. Seems HA doesn’t have any kind of auto cleanup policy on these, even though they are meant to be short lived tokens