Re: [jetty-users] jetty-openid : honouring expiry time

[Greg Wilkins]

Andrew,

sounds like a feature that might be developed.  Can you please open an
issue to request this.

On Thu, 2 Mar 2023 at 16:15, Andrew McGuinness <
and...@dev.sunshineriding.co.uk> wrote:

> I've started using jetty-openid for authentication (with jetty 10), and as
> far as I can see, once a user has authenticated successfully with openid,
> their session stays authenticated for the lifetime of the session (based on
> idle time or cookie exipry).
>
> I would have thought ideally the session should only remain authenticated
> until the expiry time returned with the access token is reached. At that
> point the refresh token should be used to obtain a new valid access token.
>
> Does that sound right? Is it a feature that might be developed?
>
>
>
>
>
>
>
>
>
> ___
> jetty-users mailing list
> jetty-users@eclipse.org
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users
>


-- 
Greg Wilkins  CTO http://webtide.com
___
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/jetty-users

[jetty-users] jetty-openid : honouring expiry time

[Andrew McGuinness]

I've started using jetty-openid for authentication (with jetty 10), and as far 
as I can see, once a user has authenticated successfully with openid, their 
session stays authenticated for the lifetime of the session (based on idle time 
or cookie exipry).

I would have thought ideally the session should only remain authenticated until 
the expiry time returned with the access token is reached. At that point the 
refresh token should be used to obtain a new valid access token.

Does that sound right? Is it a feature that might be developed?
___
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/jetty-users