Skip to content

refresh tokens vs full page redirects - how should the resource authorization server check the IdP session? #74

Description

@aaronpk

This was brought up on the May 6 call. Scenario:

  • a mobile app starts an OAuth flow to its (first-party) authorization server
  • the authorization server federates to the enterprise IdP to log in the user
  • the authorization server receives an ID token, then creates an access token and refresh token and sends it to the mobile app
  • later, the access token expires, the mobile app goes to use the refresh token at its authorization server

[IPSIE enters the chat]

  • the authorization server ideally should check back with the IdP before issuing a new access token
  • If the authorization server has a refresh token from the IdP, it could use the refresh token in the backchannel to check in with the IdP.

If the authorization server doesn't have a refresh token, the only way to accomplish this is actually to do a full OAuth flow from scratch again, including the user-visible popup browser on mobile. The "happy path" would complete relatively quickly, since the user would have an active session at the IdP and wouldn't need to re-authenticate. However that "happy path" is still somewhat disruptive to the user experience on mobile.

So the question for the group is how do we want to enable this use case: the authorization server ideally should check back with the IdP before issuing a new access token

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions