[PM-25381] Add env variables for controlling refresh token lifetimes (#6276)

* add env variables for controlling refresh token lifetimes

* fix whitespace

* added setting for adjusting refresh token expiration policy

* format

src/Core/Settings/GlobalSettings.cs

@@ -468,6 +468,18 @@ public class GlobalSettings : IGlobalSettings
         public string RedisConnectionString { get; set; }
         public string CosmosConnectionString { get; set; }
         public string LicenseKey { get; set; } = "eyJhbGciOiJQUzI1NiIsImtpZCI6IklkZW50aXR5U2VydmVyTGljZW5zZWtleS83Y2VhZGJiNzgxMzA0NjllODgwNjg5MTAyNTQxNGYxNiIsInR5cCI6ImxpY2Vuc2Urand0In0.eyJpc3MiOiJodHRwczovL2R1ZW5kZXNvZnR3YXJlLmNvbSIsImF1ZCI6IklkZW50aXR5U2VydmVyIiwiaWF0IjoxNzM0NTY2NDAwLCJleHAiOjE3NjQ5NzkyMDAsImNvbXBhbnlfbmFtZSI6IkJpdHdhcmRlbiBJbmMuIiwiY29udGFjdF9pbmZvIjoiY29udGFjdEBkdWVuZGVzb2Z0d2FyZS5jb20iLCJlZGl0aW9uIjoiU3RhcnRlciIsImlkIjoiNjg3OCIsImZlYXR1cmUiOlsiaXN2IiwidW5saW1pdGVkX2NsaWVudHMiXSwicHJvZHVjdCI6IkJpdHdhcmRlbiJ9.TYc88W_t2t0F2AJV3rdyKwGyQKrKFriSAzm1tWFNHNR9QizfC-8bliGdT4Wgeie-ynCXs9wWaF-sKC5emg--qS7oe2iIt67Qd88WS53AwgTvAddQRA4NhGB1R7VM8GAikLieSos-DzzwLYRgjZdmcsprItYGSJuY73r-7-F97ta915majBytVxGF966tT9zF1aYk0bA8FS6DcDYkr5f7Nsy8daS_uIUAgNa_agKXtmQPqKujqtUb6rgWEpSp4OcQcG-8Dpd5jHqoIjouGvY-5LTgk5WmLxi_m-1QISjxUJrUm-UGao3_VwV5KFGqYrz8csdTl-HS40ihWcsWnrV0ug";
+        /// <summary>
+        /// Global override for sliding refresh token lifetime in seconds. If null, uses the constructor parameter value.
+        /// </summary>
+        public int? SlidingRefreshTokenLifetimeSeconds { get; set; }
+        /// <summary>
+        /// Global override for absolute refresh token lifetime in seconds. If null, uses the constructor parameter value.
+        /// </summary>
+        public int? AbsoluteRefreshTokenLifetimeSeconds { get; set; }
+        /// <summary>
+        /// Global override for refresh token expiration policy. False = Sliding (default), True = Absolute.
+        /// </summary>
+        public bool UseAbsoluteRefreshTokenExpiration { get; set; } = false;
     }
 
     public class DataProtectionSettings

src/Identity/IdentityServer/ApiClient.cs

@@ -18,10 +18,18 @@ public class ApiClient : Client
     {
         ClientId = id;
         AllowedGrantTypes = new[] { GrantType.ResourceOwnerPassword, GrantType.AuthorizationCode, WebAuthnGrantValidator.GrantType };
-        RefreshTokenExpiration = TokenExpiration.Sliding;
+
+        // Use global setting: false = Sliding (default), true = Absolute
+        RefreshTokenExpiration = globalSettings.IdentityServer.UseAbsoluteRefreshTokenExpiration
+            ? TokenExpiration.Absolute
+            : TokenExpiration.Sliding;
+
         RefreshTokenUsage = TokenUsage.ReUse;
-        SlidingRefreshTokenLifetime = 86400 * refreshTokenSlidingDays;
-        AbsoluteRefreshTokenLifetime = 0; // forever
+
+        // Use global setting if provided, otherwise use constructor parameter
+        SlidingRefreshTokenLifetime = globalSettings.IdentityServer.SlidingRefreshTokenLifetimeSeconds ?? (86400 * refreshTokenSlidingDays);
+        AbsoluteRefreshTokenLifetime = globalSettings.IdentityServer.AbsoluteRefreshTokenLifetimeSeconds ?? 0; // forever
+
         UpdateAccessTokenClaimsOnRefresh = true;
         AccessTokenLifetime = 3600 * accessTokenLifetimeHours;
         AllowOfflineAccess = true;