Got a question I can't seem to get answered.
I have a OAuth authorisation server setup. I have applied the oauth profile and I have a per session policy that use oauth authroization to assign claims and scopes.
The claims are setup based upon session variables.
So the JWT created have 5 in life for access token and 60 min life for refresh token.
So at 5min +1 my client/resource server will access the auth server for a new access token using the refresh token.
I see this on the APM logs on the auth server and the client/resource server.
BUT on the auth server, there is no session alive ! so which auth server session variables is it using.
Does it just use the values that were assigned when the original request was made if thats the case.
How can I . if possible update the information for each request ?
Is it possible
@AlexS_yb - it's been a few days on this one - Have you figured this out yet?
If not - I'll see what help I might drum up.
Nothing as yet, that would be helpful.
You right, in Oauth AS use case, APM does not keep session up. As soon as the token is issued, the session is deleted.
If client presents a refresh token, the previous values from the first request should be used.
I'm curious to know which kind of information you want to update during a "token refresh". As if something changed on Owner side, a new authentication is required, then new session var (claims) are issued.
Some claim information is based upon ldap group membership.
With the current setup a 60 min jwt toekn means that a users permission might last 60min past it being removed.
I was thinking maybe to reduce the refresh token time done and force a new jwt, seem expensive though