The current algorithm in Liferay is to request a new ID Token using the Refresh Token once the Access Token has expired. However, this algorithm fails when both the Refresh Token and the Access Token have the same lifetime.
With a new configuration entry, the portal administrator will be able to configure that the portal will try to refresh the token before that expires. For example with setting a time offset with which refreshing the token will be triggered the access token lifetime minus offset.
Besides, in order for this setup to work properly, the portal administrator may be able to configure a session timeout with a duration inferior to the offset and have session auto extension so as to make sure that a request to the portal happens during the time frame of this offset.
Link to a custom development implementing such behaviour (with hard coded offset equals to half lifetime): https://github.com/fabian-bouche-liferay/oidc-refresh
- As an Instance Administrator, I want to be able to configure that to have the access token be refreshed before the access token expires on order not to have additional, unnecessary authorization grant step
- As an Instance Administrator, I want to be able to configure a session timeout also in order to have session auto extension so as to make sure that a request to the portal happens during the given time frame from the previous configuration.