Does the OIDC refresh token need any permanent cache?
fox at washington.edu
Tue May 12 18:02:00 UTC 2020
> Does the refresh token carry within it enough information for the IdP to issue a new id token? Or is
> there a permanent cache needed somewhere?
> Yes: all the needed information is encoded inside the refresh_token (which is encrypted via data sealer). Depending
> on your attribute-resolver configuration, also the attribute/claim values might be included .
> There’s no need (actually not even support at the moment) for any server-side cache/storage regarding them.
The revocation cache is maintained in server-side storage. So revocation at one host would still allow refresh tokens to be used on other hosts. Correct?
If so, is there a way for me to, via a hook or something, to intercept a refresh request and deny it if the subject was in a local "do not refresh" list - a list that I would maintain by other means?
More information about the users