I am moving from a purely
access_token on the wire architecture to using the AuthFeature() with its cookies on the wire.
We have our own OAuth2 server that serves up
access_token as well as
refresh_token that takes the users and applications credentials. Standard OAuth2 stuff.
As I understand it, once the
access_token is obtained from the OAuth2 server (through our custom OAuth2Provider), the user is authenticated, and the
access_token and potentially
refresh_token is saved in the IAuthSession.
The session and session_id is created and stored.
The user is now authenticated as long as the ‘session_id/cookie’ is remembered by the client, or when the session expires (if configured to).
Now, we would like sessions created by authn with our OAuthProvider to expire on the same frequency as the
access_token expires, but we want to use the
refresh_token to create a new session (with a new
access_token) when or before that happens. So that the user still remains authenticated, but we still permit the session/
access_token to expire frequently.
Is this feasible? How and where in the code would it be done?