Does the OIDC refresh token need any permanent cache?

Jim Fox fox at
Tue May 12 18:02:00 UTC 2020

>       Does the refresh token carry within it enough information for the IdP to issue a new id token?  Or is
>       there a permanent cache needed somewhere?
> Yes: all the needed information is encoded inside the refresh_token (which is encrypted via data sealer). Depending
> on your attribute-resolver configuration, also the attribute/claim values might be included [1].
> There’s no need (actually not even support at the moment) for any server-side cache/storage regarding them.

The revocation cache is maintained in server-side storage.  So revocation at one host would still allow refresh tokens to be used on other hosts. Correct?
If so, is there a way for me to, via a hook or something, to intercept a refresh request and deny it if the subject was in a local "do not refresh" list - a list that I would maintain by other means?


More information about the users mailing list