Question: How should SDK handle refreshes and logouts? #1399
Unanswered
jakedoublev
asked this question in
SDK Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
The OpenTDF Platform is in a unique situation because it is a resource server and NOT an identity provider, though the core feature of the platform being authorization means it is inherently tied to identity. Keycloak is used as the reference idP, but it is worth explicitly noting that the Platform is not an idP and should be cross-idP compatible.
The SDK currently supports these
WithOpts
for authentication:When dealing with client credentials, it's an OAuth flow and not an OIDC flow, so there is no refresh token, and the SDK handles expiry with a new token get using the same credentials.
When dealing with the OAuth token source, the SDK currently does no refreshing and errors in the event of expiration.
I have not investigated refreshes with token/cert exchange and how we do/might handle expiration of tokens in the SDK when initialized with those options.
There is also a desire to support DPoP (distributed proof of possession) throughout the platform, which is currently not fully supported.
Some questions arise.
The following scenarios must be considered:
Beta Was this translation helpful? Give feedback.
All reactions