Superseded: 31 January 2022 - Action required - Deprecating persistent refresh tokens

Hey @KevinGreenan and @FatmehShuman, sorry for keeping you waiting! I wanted to make sure I give you a complete reply.

Following your comments we checked our rotating refresh tokens (RRT) config and found that it didn’t match the behaviour we described, nor the one we were going for. This config mistake on our end was what led to your experience, but again, it wasn’t intended. This also prompted us to conduct a quick review of our RRT settings and finally we agreed on the following as a balance of security and user experience:
Absolute lifetime - 1 year (users will have to re-auth once a year, regardless of use)
Inactivity lifetime - 90 days ~ 3 months (users who are inactive for over 3 months will need to re-auth).

We are now working to implement these changes. Once they are live we will update our 3LO docs. Thanks again for your questions, hope this answers everything.