You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Currently it is possible to retrieve an access_token in OpenBao but not to extend it's lifetime in a OAuth2 / OIDC compatible way. When creating client applications (such as a single page application or IOS / Android app) you don't want the user to have to re-login every day. However creating an access_token with a really long lifetime is often not desirable.
Describe the solution you'd like
I would like OpenBao to support section 1.5 of the OAuth2 spec, refresh tokens. Allowing me to obtain a new access_token (OpenBao batch token) by using a refresh token. The refresh token is provided to the client at the same time the access_token is provided. In OpenBao's case the refresh token could be used to extend the lifetime of the access_token to its max_ttl. The access_token is allowed to change when it is refreshed (as far as I know). Same goes for the refresh token itself.
Describe alternatives you've considered
Using the OpenBao specific API to refresh the token since the OIDC access_token is in essence "juist" a OpenBao batch token. However that might hurt OpenBao's OIDC adoption since standard client libraries with support for refresh tokens won't work.
I originally created this as a Vault feature request: hashicorp/vault#16134. Where it gathered the most engagement I ever had online, 23 thumbs-up emoji's! ;-)
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
Currently it is possible to retrieve an
access_token
in OpenBao but not to extend it's lifetime in a OAuth2 / OIDC compatible way. When creating client applications (such as a single page application or IOS / Android app) you don't want the user to have to re-login every day. However creating an access_token with a really long lifetime is often not desirable.Describe the solution you'd like
I would like OpenBao to support section 1.5 of the OAuth2 spec, refresh tokens. Allowing me to obtain a new
access_token
(OpenBao batch token) by using a refresh token. The refresh token is provided to the client at the same time theaccess_token
is provided. In OpenBao's case the refresh token could be used to extend the lifetime of theaccess_token
to itsmax_ttl
. Theaccess_token
is allowed to change when it is refreshed (as far as I know). Same goes for the refresh token itself.Describe alternatives you've considered
Using the OpenBao specific API to refresh the token since the OIDC access_token is in essence "juist" a OpenBao batch token. However that might hurt OpenBao's OIDC adoption since standard client libraries with support for refresh tokens won't work.
I originally created this as a Vault feature request: hashicorp/vault#16134. Where it gathered the most engagement I ever had online, 23 thumbs-up emoji's! ;-)
The text was updated successfully, but these errors were encountered: