Ok, thanks for listening to me…
The way I like to think about it is:
If the client knows when the AT will (likely) expire, it can proactively refresh the token.
There is nothing the client can do differently if it knows when the RT will (likely) expire.
Tue, Aug 23, 2022 4:46pm -07:00
Have you written a
to this? Let me know the URL:
Yes, the client needs to be able to handle unexpected expiration of both the AT and RT, which tbh is more an argument that the AS should never return expires_in than an argument that it should return it for both tokens.
Tue, Aug 23, 2022 4:49pm -07:00