Support for passing Refresh Tokens

[kthare10]

Vouch Proxy currently allows passing in provider Id and Access Tokens. We need Refresh Token as well to be passed. Could you please consider adding support for passing provider Refresh Tokens in Header?

[bnfinet]

@kthare10 could you clarify your usage of the refresh token? Are you hoping to use the refresh token to directly access the IdP to get a new access token? Should VP do something with that new access token, or the refresh token? Are you using VP for access control or merely as a convenience for getting the tokens?

[kthare10]

My application is planning to use the refresh token to directly access the IdP to get new access token. I am using Proxy for authentication and then pass tokens to my underlying application which can refresh tokens on its own by talking to IdP.

[bnfinet]

@badstreff @shabe @kthare10 at this point we're leaning against including the passing of Refresh Tokens to protected sites/apps, though we're willing to be convinced.

The thinking is, if the app needs the refresh token, why not allow the end user to go through a whole auth cycle for the app. If the app is already going to be interacting with the IdP, why not start from the beginning.

That said, if you can articulate a use case which clarifies the need we're all ears.

[bnfinet]

FWIW I'm more interested in #149 having VP do the refresh, but then there's the question of "where to keep the refresh token" and various other aspects of triggering the refresh event.

[ahilmathew]

Any update on this PR? I am also looking at utilizing refresh_tokens issued by the IdP.