As I understand it, the basic idea is that you have accessToken
(15 minutes), and refreshToken
(1 week), a few moments before the accessToken
expires, you need to ask the server for a new accessToken
.
If the user closed the browser before the 15 minutes ends, and the client didn't refresh the tokens, you need to re-login because the accessToken
is obsolete and you can't refresh the accessToken
without both of the tokens.
Isn't that bad experience? if I'm not active for 15 minutes, I need to re-login...
Am I missing something here?