Stephan Aßmus

> With this change, this will prevent users from disabling the refresh right? I believe some users don't care about refreshing and therefore are quite happy to have expired tokens...

One good reason for making sure the JWT is never expired is that it may be forwarded to another system, e.g. for principle propagation. That is how we noticed a...

I would love to get feedback on my argument above. I am open to implementing it in a different way that takes more needs into account.

It sounds like exactly the same problem.

> Looking at > > https://github.com/oauth2-proxy/oauth2-proxy/blob/c5a98c6d03781476021107772a150ba2acb39206/pkg/middleware/stored_session.go#L171-L173 > > , I think this is probably an ok change. If we do attempt to refresh a session and the provider doesn't refresh...

> @stippi2 Do you think the concern mentioned in this comment is valid? [#1318 (comment)](https://github.com/oauth2-proxy/oauth2-proxy/pull/1318#issuecomment-1040016499) In principle, yes.

Still valid.

Still relevant.

> Coming back to this, what are we trying to do with the latest version of this PR? Can we get it fixed up against the latest master? Sure, I've...

> @weinong you should ask @stippi2 (the author of the PR #1433 used to fix #1396) Please don't confuse what my PR did. The call to `ValidateSession()` was already in...