OIDC provides 2 kinds of refresh_token:
- offline RT: for example for mobile app
- online RT: for example for webmail
Following security guidelines, a relying party should receive short-term access_token (around 10mn) with a refresh_token that permit to the RP to get new access_token during refresh_token life. Same for mobile app. The only difference is the TTL of the refresh_token:
- same than SSO session for "online" RT (Linshare web)
- some months/years for "offline" RT (mobile app)
Job done for Twake-Mail.
OIDC provides 2 kinds of
refresh_token:Following security guidelines, a relying party should receive short-term access_token (around 10mn) with a
refresh_tokenthat permit to the RP to get newaccess_tokenduringrefresh_tokenlife. Same for mobile app. The only difference is the TTL of therefresh_token:Job done for Twake-Mail.