Open NicolasLiampotis opened 1 month ago
The Refresh Token flows need to support two scenarios:
For the scenario without Refresh Token rotation, we include both options: Token Introspection and using the Refresh Token flow between Proxy A & B.
Scenario 1: Without Refresh Token Rotation
Scenario 2: With Refresh Token Rotation
We agreed during the architecture call that it makes sense to use Refresh Token only to check the validity of the remotely issued refresh token
The current version of the guidelines for refreshing tokens between proxies (AARC-G073) proposes the use of Token Introspection (RFC 7662) for validating the refresh token issued by the upstream Proxy. Another method would be to perform a refresh token flow.
We need to extend the document to describe the alternative flows.