OAuth server setup Q - APM
auth.demo.com >> APM OAuth server
res.demo.com >> APM Client / resource OAuth server
res.demo.com/protectedurl >> OAuth protected resource
So when you go to res.demo.com/protectedurl you get redirected to auth.demo.com and you get asked to log in
So lets ay I have my OAuth tokens set to 20min refresh max and 5 min access token life
and lets say I have APM session inactivity on auth.demo.com set to 30min.
So once I have gone to auth.demo.com recieved my token and using it now on res.demo.com
I would expect every 5min the access token is refreshed
At 20min a redirect back to auth.demo.com would happen to get a new refresh token
I would expect that my APM session on auth.demo.com would still exist its only been 20min and inactivity is set to 30min.
But no that doesn't happen, it seems like a OAuth authorisation request terminates your APM session on auth.demo.com (also changes your cookies for auth.demo.com) so you don't have a valid APM session - so that means every 30 min you have to log back in.
How do you stop that, I am happy that if they are doing stuff on res.demo.com continiously that they shouldn't have to log back in.
But I also want those 5min and 20 min check in's so I can block at that spot.