Confusion about Timeout, MaxRefresh, RefreshTokenTimeout and the actual effect of this library

[duzhipeng]

• In the document, the author only mentions the Timeout and MaxRefresh parameters, and does not mention RefreshTokenTimeout. However, the RefreshTokenTimeout setting does exist.
• According to the JWT specification, the Timeout parameter is used for Access Token, MaxRefresh is used for refresh behavior (based on Access Token), and RefreshTokenTimeout limits the long-term validity of the refresh token to avoid permanent validity.
• As a typical value, Timeout is generally 15 minutes, MaxRefresh is generally 1 to 24 hours, and RefreshTokenTimeout is generally 7 to 30 days (the default value in the library is 30 days). It needs to be emphasized again that RefreshTokenTimeout is not mentioned at all in the documentation.
• To make the problem easier to reproduce and easier to understand, we set it like this, Timeout: 1 minute, MaxRefresh: 3 minutes, RefreshTokenTimeout: 1 hour .

According to the JWT specification, the life cycle of each token is as follows:

T0 (Token Generation)
├─ Access Token becomes effective (can access resources directly)
├─ Refresh Token becomes effective (can be used for refresh)

│
T0+1 minute (Timeout expires)
├─ Access Token becomes invalid (cannot access resources directly)

├─ However, it is still within the MaxRefresh window (only 1 minute from T0 and less than 3 minutes), so a new Access Token can be refreshed using the Refresh Token.

│
T0+3 minutes (MaxRefresh expires)
├─ Regardless of whether the Access Token has expired or the Refresh Token has expired (the Refresh Token still has 57 minutes left), a new Access Token cannot be refreshed.
├─ The user is forced to log in again.
│
T0+1 hour (RefreshTokenTimeout expires)
├─ The Refresh Token becomes invalid (cannot be used even before the MaxRefresh window).
└─ Re-login is required.

This is exactly what the author explained in his reply in #315 .

But in fact, after T0+3, as long as the RefreshTokenTimeout time has not expired, you can use /refresh and provide refresh_token to refresh.

It doesn't matter whether /refresh is publicly accessible or placed in a protected environment that requires authMiddleware.MiddlewareFunc().

I saw CheckIfTokenExpire(), but I still don't understand it. Even under protection, MaxRefresh>Timeout is a lot, but when the Timeout is reached, I can't use the Access Token and Refresh Token to refresh at the same time (the Refresh Token has not expired). What's the problem?