There is no way to override RefreshHandler
Koichi-hub opened this issue · 2 comments
Koichi-hub commented
Before refreshing the access_token, I need to delete the session it refers to so that the hacker cannot quietly use the victim's session. To do this, I need to place the logic of deleting the session somewhere, as well as writing new values to claims
. But there is no such possibility.
Was such a scenario not envisaged? Why?
appleboy commented
I will take it.
appleboy commented
@Koichi-hub You can overwrite the RefreshResponse
handler.