Logout because of expired access token

[xi]

Issue Description

May be related to #100.

After some time after the login, I get logged out with the message "OAuth: An error occured during the request to the oauth provider: [HTTP 401]".

As far as I understand, this plugin is checking at some point whether the access token is still valid, or, if it is not, tries to get a new one using a refresh token.

This is what I found in the OIDC spec:

Access Tokens might not be revocable by the Authorization Server. Access Token lifetimes SHOULD therefore be kept to single use or very short lifetimes.

If ongoing access to the UserInfo Endpoint or other Protected Resources is required, a Refresh Token can be used. The Client can then exchange the Refresh Token at the Token Endpoint for a fresh short-lived Access Token that can be used to access the resource.

If I understand the spec correctly, the access token should only be used to fetch user info or other protected data. There is no mention that the client session should expire with the access token. So I think this is a bug.

[NomAnor]

Same here. As this plugin is for authentication is should follow the OIDC spec. To check for successfull authentication the id_token must be used. After that the access_token can be used to retrieve additional information about the user from the userinfo endpoint (the protected ressource). This is often not necessary because the id_token already contains it (userid, username, email).

Regarding the session expiration. The lifetime of the application session is not related to the expiration of the token, as noted in https://openid.net/specs/openid-connect-core-1_0.html#IDToken:

NOTE: The ID Token expiration time is unrelated [to] the lifetime of the authenticated session between the RP and the OP.

See also https://stackoverflow.com/questions/25686484/what-is-intent-of-id-token-expiry-time-in-openid-connect.

The application can essential throw away both token after validating them and rely on its own session cookie as it would with a normal password login.