OAuth 2 refresh token support #8175
Labels
affected-medium
This issue impacts approximately half of our customers
area-auth
Includes: Authn, Authz, OAuth, OIDC, Bearer
enhancement
This issue represents an ask for new feature or an enhancement to an existing one
severity-major
This label is used by an internal tool
Milestone
The OAuthHandler class does not provide any option to expire the underlying Cookie ticket upon expiry of the Bearer Token, also it does not have any support for Refresh tokens other than storing the value in AuthenticationProperties.
I Suggest the following:
Add a property: bool ExpireUponTokenExpiry to RemoteAuthenticationOptions
On authenticating ticket, check this property
if false just return AuthenticateResult.Success upon validating the ticket
if true and bearer token is not expired return AuthenticateResult.Success
if true and bearer token is expired
-> if refresh_token isSet in AuthenticationProperties, Exhange the refresh token for new bearer token through http backchannel,
-> if no refresh_token is set, start a new OAuth authentication flow, with RedirectResult
The text was updated successfully, but these errors were encountered: