Retain OIDC access token expiry time in the cookie #32109
Description
Description
Right now, when the authorization code flow is run, and the code is exchanged for tokens, they are kept in the session cookie by default. ID token is always JWT so when its expiry is checked, a JWT exp claim is checked.
However when the access token is used to fetch UserInfo, and its expiry is checked, right now, we have 2 options:
- if the access token is JWT - check the expiry the same way as for the ID token
- if the access token is binary - introspect it remotely and get the
expproperty from the introspection response.
However, when the token is introspected and is reported as inactive, providers are not required to report any reasons behind the access token becoming inactive, so the exp info is not guaranteed to be always present in the introspection responses.
But the access token expiry time is typically returned when the code is exchanged for the tokens, as a JSON property reported in addition to the actual tokens.
So this enhancement is about retaining this property in the session cookie. The challenge here is that unless it is integrity protected, we can't rely on this expiry date coming from the cookie.
Implementation ideas
No response