How to trust link between application session and OIDC refresh token

Question

I have a web application that has its own session (sessionid cookie, timing out after 60mins). The user logs in via an OIDC connection and we store the idtoken and accesstoken on the session server-side, the refreshtoken in a cookie. We use "email" from the /userinfo endpoint to start a session with the backoffice application.

After x minutes, user comes back and we find idtoken and accesstoken expired. We do a refresh on the /token endpoint to get new accesstoken, but some OIDC servers do not return a new idtoken (still not sure why).

So, when I don't get a new idtoken I don't have a valid one anymore. Can I then simply trust that the idtoken belongs to the current session (as I cannot validate if my current session is for the same sub as the OIDC session), or should I ask for re-login on the auth server?

Answer 1

The id_token represents a user authentication event i.e. describes when (and possibly how) the user authenticated in person. Since a token refresh does not mean that the user is present/online/or-even-alive-anymore an id_token should not be issued, though your mileage may vary across implementations.

Note that the lifetime of the id_token as well as the lifetime of the access_token are in principle independent of the application session lifetime, which in its turn is (in principle) independent from the SSO session at the Provider.

The access token - possibly refreshed via the refresh token - can be used to obtain information about the user from the userinfo endpoint. The information returned must contain a sub claim which must then be compared to the sub from the original id_token (stored in the application session), see: https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse