Hi all, recently, i am asked whether web application can obtain a new access token without a refresh token (OpenID Connect 1.0).
usually, to exchange for a new access token, we need a refresh token. However, exposing the refresh token to client (browser) is not a recommended way. i check that auth0 ( https://auth0.com/docs/quickstart/spa/vanillajs/05-token-renewal) do offer a feature that seems for catering this issue. It seems auth0 maintain a long lived session (in the auth0 server). after login via auth0, it store the refresh token in auth0 backend/server. if client application needed to obtain a new access token (due to expiry), we invoke the auth0 API to obtain a new one (via ajax request to auth0 web server with cookie/session ID). I want to ask: 1. do CAS offer such feature? 2. if not, do you think will it be difficult to implement this in CAS by myself? i guess what need to do is - store the refresh token in cache, expose API to return access token (given the session ID cookie)... thank you. Paul -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/18564799-32dc-4794-8984-c5aefe653bfa%40apereo.org.
