You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Current behavior:
After initial login (with/without 2FA) it's possible to "lock" the vault, retaining offline functionality and the ability to perform a "lightweight" login without 2FA. This is sensible and convenient, but makes it impossible to enfore periodic reauthentication (e.g. once every 30 days). The only alternative is to force a full logout, but that compromises offline functionality and means a full login is required every boot/browser restart.
Desired behavior:
A "middle ground" where lock behavior still works as it does now, but a "lightweight" login doesn't update the device refresh_token. That way, even if the device is logged in daily the token still expires and forces a full reauth (with 2FA if configured) periodically.
Request:
Implement an ENV variable (or similar config option) like VW_DISABLE_REFRESH_TOKEN_RENEWAL. If set to true it only issues a new refresh token on full login, but returns the original token otherwise.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Current behavior:
After initial login (with/without 2FA) it's possible to "lock" the vault, retaining offline functionality and the ability to perform a "lightweight" login without 2FA. This is sensible and convenient, but makes it impossible to enfore periodic reauthentication (e.g. once every 30 days). The only alternative is to force a full logout, but that compromises offline functionality and means a full login is required every boot/browser restart.
Desired behavior:
A "middle ground" where lock behavior still works as it does now, but a "lightweight" login doesn't update the device refresh_token. That way, even if the device is logged in daily the token still expires and forces a full reauth (with 2FA if configured) periodically.
Request:
Implement an ENV variable (or similar config option) like
VW_DISABLE_REFRESH_TOKEN_RENEWAL. If set to true it only issues a new refresh token on full login, but returns the original token otherwise.Beta Was this translation helpful? Give feedback.
All reactions