Investigate refresh token validation methods for refreshing tokens between proxies

aarc-community / architecture-guidelines

2 stars 0 forks source link

Open NicolasLiampotis opened 1 month ago

NicolasLiampotis commented 1 month ago

The current version of the guidelines for refreshing tokens between proxies (AARC-G073) proposes the use of Token Introspection (RFC 7662) for validating the refresh token issued by the upstream Proxy. Another method would be to perform a refresh token flow.

We need to extend the document to describe the alternative flows.

NicolasLiampotis commented 9 hours ago

The Refresh Token flows need to support two scenarios:

For the scenario without Refresh Token rotation, we include both options: Token Introspection and using the Refresh Token flow between Proxy A & B.

Scenario 1: Without Refresh Token Rotation

Refresh Token Flow without Rotation (Issue #18)

Scenario 2: With Refresh Token Rotation

Refresh Token Flow with Rotation (Issue #18)

NicolasLiampotis commented 7 hours ago

We agreed during the architecture call that it makes sense to use Refresh Token only to check the validity of the remotely issued refresh token