This was brought up on the May 6 call. Scenario:
- a mobile app starts an OAuth flow to its (first-party) authorization server
- the authorization server federates to the enterprise IdP to log in the user
- the authorization server receives an ID token, then creates an access token and refresh token and sends it to the mobile app
- later, the access token expires, the mobile app goes to use the refresh token at its authorization server
[IPSIE enters the chat]
- the authorization server ideally should check back with the IdP before issuing a new access token
- If the authorization server has a refresh token from the IdP, it could use the refresh token in the backchannel to check in with the IdP.
If the authorization server doesn't have a refresh token, the only way to accomplish this is actually to do a full OAuth flow from scratch again, including the user-visible popup browser on mobile. The "happy path" would complete relatively quickly, since the user would have an active session at the IdP and wouldn't need to re-authenticate. However that "happy path" is still somewhat disruptive to the user experience on mobile.
So the question for the group is how do we want to enable this use case: the authorization server ideally should check back with the IdP before issuing a new access token
This was brought up on the May 6 call. Scenario:
[IPSIE enters the chat]
If the authorization server doesn't have a refresh token, the only way to accomplish this is actually to do a full OAuth flow from scratch again, including the user-visible popup browser on mobile. The "happy path" would complete relatively quickly, since the user would have an active session at the IdP and wouldn't need to re-authenticate. However that "happy path" is still somewhat disruptive to the user experience on mobile.
So the question for the group is how do we want to enable this use case: the authorization server ideally should check back with the IdP before issuing a new access token