Refresh token flow

[jacekelgda]

Hi, currently I can see there is no support for refresh_token flow ( as mentioned in here: https://github.com/vippsas/vipps-login-api/blob/master/vipps-login-api.md#refresh-token ) but in places such as openapi doc I can still see references to refresh_token. When we include offline scope in token request we get an error about client "The requested scope is invalid unknown or malformed. The OAuth 2.0 Client is not allowed to request scope offline".

What is the correct refresh token flow at the moment and what is the expiration time of granted tokens that are used to access vipps api such as 'userinfo' endpoint ?

[thormarius]

Hi @jacekelgda It is correct that Vipps Login does not support refresh tokens. The offline scope is also not supported. We will look into removing this from the openid-configuration.

The expiration for the access token is 10 min

[jacekelgda]

Hi @thormarius thanks for quick reply. So do I understand well that we require users to login with the full flow each 10 minutes of using the app or is there some alternative solution to this ?

[thormarius]

@jacekelgda No, the user does not need to login every 10 minutes. I think you misunderstand slightly how Vipps Login works: You should use the accesstoken only to retrieve userinfo. You can then login/register the user on your site in which you should create and manage your own user session (with your own expiration on the session cookie).

[jacekelgda]

Right, thats what I suspected after doing some additional analysis - thank you for your answer.