refresh_token should be considered optional
restena-sw opened this issue · 4 comments
This LOC refuses a token if it does not contain a Refresh Token.
RFC 6749 Section 1.5 makes clear that the existence of a refresh_token is optional:
https://www.rfc-editor.org/rfc/rfc6749#section-1.5
" Issuing a refresh token is optional at the discretion of the authorization server. "
The sanity check appears overdoing it here.
Indeed. Also check_token_validity() will need some changes.
Fixed.
ps. I think we separately need to make the token expiration handling better. Whenever we do "kill session" user should be logged out (presented with the logon screen).
After some further investigation, I found out that a spec-compliant OIDC server will only issue refresh_token if the client requests the scope "offline_access".
If Roundcube significantly benefits from refresh_token (does it?) one could consider requesting that scope by default.
It does. Roundcube is a long running session application. I.e. as long as the browser window is open session does not expire. If it has the refresh_token it will refresh the token automatically so everything works until the session ends.