On 08/05/2013 09:16 PM, Patrick Ohly wrote:
Alberto, implementing 'ForceTokenRefresh' in signond would be
Otherwise, when there is some clock skew and the server already rejects
the access token while the client still thinks that the token has not
expired yet, getting the token refreshed via signond will not work.
In the meantime, is it okay to pass that key in the session data even
though signond doesn't understand it (yet)?
All unknown keys are ignored, so yes, you can pass it.
While I understand the reason for ForceTokenRefresh, what I don't like
about it is that it complicates the client code: not only clients need
to catch errors from signond, but even in the case of a successful
response they must handle the case of an expired access token and
I'd propose an alternate (and simpler) solution: when we have a refresh
token, avoid caching the access token.