There is no way to override RefreshHandler

Question

There is no way to override RefreshHandler

Koichi-hub opened this issue a year ago · 2 comments

Before refreshing the access_token, I need to delete the session it refers to so that the hacker cannot quietly use the victim's session. To do this, I need to place the logic of deleting the session somewhere, as well as writing new values to claims. But there is no such possibility.
Was such a scenario not envisaged? Why?

Answer 1 · 2023-06-07T03:31:55.000Z

I will take it.

Answer 2 · 2023-06-07T05:40:31.000Z

@Koichi-hub You can overwrite the RefreshResponse handler.