On Tue, 2013-08-06 at 08:35 +0300, Alberto Mardegan wrote:
On 08/05/2013 09:16 PM, Patrick Ohly wrote:
> Alberto, implementing 'ForceTokenRefresh' in signond would be useful.
> Otherwise, when there is some clock skew and the server already rejects
> the access token while the client still thinks that the token has not
> expired yet, getting the token refreshed via signond will not work.
> In the meantime, is it okay to pass that key in the session data even
> though signond doesn't understand it (yet)?
All unknown keys are ignored, so yes, you can pass it.
While I understand the reason for ForceTokenRefresh, what I don't like
about it is that it complicates the client code: not only clients need
to catch errors from signond, but even in the case of a successful
response they must handle the case of an expired access token and
I'd propose an alternate (and simpler) solution: when we have a refresh
token, avoid caching the access token.
This assumes that a new token is always valid long enough for the client
to finish its task. I suspect that even with simple clients, this may
not always be true. For example, the client might run while a laptop
gets suspended and resume after the token that it uses expired. Always
asking for a new token before each HTTP request would also not work
reliably and without access token caching be too expensive.
A more complex client, one which runs for extended periods of time, will
have to be aware of the need to refresh tokens anyway.
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.