[Tech Debt] Replace hardcoded 90-day refresh token expiry with IdP value #411
Description
Context
From PR #401 code review - Medium priority configuration improvement.
Problem
Refresh token expiry is hardcoded to 90 days in three locations:
- token_broker.py:423
- token_broker.py:503
- token_broker.py:601
This ignores the actual expires_in value from the IdP's token response.
Current Code:
refresh_expiry = datetime.utcnow() + timedelta(days=90)Proposed Solution
Use the IdP's refresh_token expires_in if provided, otherwise fall back to 90 days:
# From token response
refresh_expires_in = token_data.get("refresh_expires_in") # Some IdPs provide this
if refresh_expires_in:
refresh_expiry = datetime.utcnow() + timedelta(seconds=refresh_expires_in)
else:
# Fallback to 90 days (many IdPs don't specify refresh token expiry)
refresh_expiry = datetime.utcnow() + timedelta(days=90)Benefits
- Respects IdP's actual token lifetime policy
- More accurate expiry tracking
- Better compatibility with different IdPs
Notes
- Many IdPs (including Nextcloud OIDC) don't provide refresh_expires_in in the token response
- 90-day fallback is a reasonable default
References
- Files: nextcloud_mcp_server/auth/token_broker.py:423, 503, 601
- Related to PR feat(astrolabe): Nextcloud app UI with PDF viewer, webhooks, and OAuth refresh #401 security fixes
Priority
Medium - Improvement, not a bug