CF UAA Does Not Store or Use External IDP's Refresh Token

[Amitabh36]

Description:
When integrating with an external Identity Provider (IDP), CF UAA does not store the access token or refresh token issued by the external IDP. This leads to a problem when UAA’s own refresh token expires.

For example, if UAA's refresh token expires in 2 hours but the external IDP's refresh token is valid for 24 hours (or any longer duration depending on its configuration), UAA is unable to obtain a new access token from the external IDP after its own token expires. This is because UAA does not retain the external IDP's refresh token, which would still be valid.

Impact:
This limitation breaks long-lived sessions and forces users to reauthenticate even though the external IDP's refresh token is still valid.

[Amitabh36]

Hi team, just checking in for an update on this ticket. Please let me know if any additional information is needed from my side.

[strehle]

Hi team, just checking in for an update on this ticket. Please let me know if any additional information is needed from my side.

hi, I need more insights about what you want get with it. / solve with it.?

Insights:
We do store the id_token in the session to allow a logout with passing id_token_hint to the OIDC server. But the session is not that long available.

UAA has no long term token usages from the used IDP, but we simply forward always to the OIDC idp if there is no local session available