I am implementing the refresh token rotation feature in Okta. In the Okta dashboard you can see these default settings where the refresh token lifetime is set to “Unlimited”. However, at the bottom of this page they mention the following
When you use a refresh token with a SPA, make sure that you keep a short refresh token lifetime for better security.
I’ve reached out to Okta asking “How short is short?” but there doesn’t seem to be any advice on what the best settings are for a ReactJS app so I’m reaching out here to see if you guys have any guidance or ideas? Thanks!