Make getSession/verifySession stateless by default

[porcellus]

🚀 Feature

People generally do not expect getSession/verifySession to be calling the core. Two main reasons that those functions call the core are:

• claim value refreshes: we can alleviate this by setting the default refresh times to infinity.
• marking the refresh token as "delivered" by making a core call that removes the parent refresh token hash from the payload: we can skip this by assuming that the delivery happened after some time.

Implementation details

• we can assume (in the core) that the parent refresh token is delivered after a grace period
  • Okta uses 30 seconds by default
  • we should make this configurable in the core
  • We will do this with a new CDI (maybe after the OAuth2 release)
• we can remove the "ping-back" based on parentRefreshTokenHash from getSession
  • doing this without the above core change will result in a security issue until the core change is released
  • We will do this with a new CDI (maybe after the OAuth2 release)
• we should not clear the session if the core call to verify it returns unauthorized
  • basically remove unauthorised error from getSession
  • We can do this in the OAuth2 release
• we set the defaultMaxAge to infinity to all built-in claim validators
  • this includes refetchTimeOnFalseInSeconds
  • We can do this in the OAuth2 release