Does the OIDC refresh token need any permanent cache?
Henri Mikkonen
henri.mikkonen at csc.fi
Tue May 12 14:09:39 UTC 2020
Hi Jim,
> Does the refresh token carry within it enough information for the IdP to issue a new id token? Or is there a permanent cache needed somewhere?
Yes: all the needed information is encoded inside the refresh_token (which is encrypted via data sealer). Depending on your attribute-resolver configuration, also the attribute/claim values might be included [1].
There’s no need (actually not even support at the moment) for any server-side cache/storage regarding them.
BR,
Henri.
[1] https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/AttributeEncoderPluginConfiguration <https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/AttributeEncoderPluginConfiguration>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200512/edcbb495/attachment.htm>
More information about the users
mailing list