We have configured tokenExpiration as 15 minutes in Apache Jackrabbit Oak TokenConfiguration.
Token Expiration also works fine without any issues.
The issue we are facing is:
1. When User login occurs, the token gets created with 15 minute expiration limit.
2. Any user activity on the application does not seem to refresh the token. No matter what user does, after 15 minutes expires. This is not expected behaviour for us.
3. We do not want to use the tokenRefresh attribute within "Apache Jackrabbit Oak TokenConfiguration" as this seems to automatically refresh the token even if the user is inactive. The CSRF token heartbeat issued every 5 minutes from within the browser keeps refreshing the token and provides a prolonged session to the user. We do not want this behaviour.