Yume
Yume

Reputation: 21

What if the user is still authenticated and the access token expires?

I am currently studying Oauth 2.0 and OIDC, and I have a confusion about access tokens. If the end-user is still interacting with the application and the access token the app obtained from the Authorization Server expires , what should the application do if it has no refresh token and needs to access some resources ? Should the end-user be reauthenticated ?

Thank you in advance for you help

Upvotes: 1

Views: 761

Answers (1)

Tore Nestenius
Tore Nestenius

Reputation: 19991

If the access token is expired and you have no refresh token, then you have to let the user sign-in and reauthenticate. Sometimes the OIDC server can remember the user and auto-signin the user again. But how this is done is very implementation specific. How this is done is outside the scope of the specification.

Upvotes: 1

Related Questions