iainmcgin
commented
8 years ago Ping on this - we have had some offline discussions, and it seems that independently storing the tokens in AuthState that can be lost by token refresh, particularly if they are not stale, would be helpful. The only debate remaining seemed to be whether it made sense for IDPs to have this behavior in the first place. Irrespective of that, the spec currently allows it, so we should probably make the change.
@WilliamDenniss @ve7jtb do you agree? If so, I'll make the change.
n2ygk
DevItAndroidTeam
Consider a scenario where the client requests an ID token, access token and refresh token on their authorization request. This is granted, and after exchange of the authorization code, they receive the requested tokens. An IDP can freely choose different expiration times for access tokens and ID tokens, so let's say that an ID token lasts 24 hours, and an access token lasts 1 hour.
After an hour of using the tokens with the help of
AuthState.performActionWithFreshTokens, the access token expires and we request fresh tokens. The received token response replaces the original token response, which contained the (still valid) ID token. This response may or may not contain a new ID token; this is entirely up to the behavior of the IDP - I can't see anything in the spec that would require a refresh exchange to always yield the same tokens as the original code exchange.So, the original ID token is lost when the token response is replaced, and there may not be a new one in the new token response to replace it. Should AuthState be storing token values independently of the authorization and token responses, to avoid this scenario?