Reputation: 21
I am currently studying Oauth 2.0 and OIDC, and I have a confusion about access tokens. If the end-user is still interacting with the application and the access token the app obtained from the Authorization Server expires , what should the application do if it has no refresh token and needs to access some resources ? Should the end-user be reauthenticated ?
Thank you in advance for you help
Upvotes: 1
Views: 761
Reputation: 19991
If the access token is expired and you have no refresh token, then you have to let the user sign-in and reauthenticate. Sometimes the OIDC server can remember the user and auto-signin the user again. But how this is done is very implementation specific. How this is done is outside the scope of the specification.
Upvotes: 1