Will siteminder keep both " SMSESSION " cookie and " OAUTH " tokens in sync when the user is on an OIDC compliant app?
------ Use Case Flow:
User logs into an OIDC compliant app.
Get a SMSESSION cookie (Expires in 20 mins) and Access (Expires in 5 mins), ID and refresh tokens (Expires in 2 hrs).
When a user is navigating within the app, the user will get new access tokens with a sliding expiry time.
This expiry time will go up to 2 hours, as set in the refresh token.
------ Questions:
At t=10 min, when the app refreshes access token, will the new SM session have a new expiry time, 20 mins from now i.e. expiring in 30th minute?
At t=50 min, when the SM cookie has expired, will SM continue to dish out new access tokens? Now the user navigates to an SM agent based application, will it fail. Users will be presented with a login page. Is that expected behavior?
After t = 2 hours, application requests a refresh token, will Siteminder respond with a null token? Or Siteminder redirects to a login page ?
Component: Policy Server (SMPLC)
Release: Applicable to all the supported releases.