Refresh Token Flow between interconnected OAuth2 Proxies

[NicolasLiampotis]

Problem
Let's consider a typical scenario where a service (OAuth2 client) connected to the Infrastructure Proxy interacts with a resource server through a chain of proxies (Infrastructure Proxy to Community AAI). The client requests an access token and a refresh token (e.g. using the offline_access scope) from the Infrastructure Proxy:

• SAML Connection: If the Infrastructure Proxy is connected to the Community AAI using SAML, there's no mechanism for the Infrastructure Proxy to forward the request for a refresh token to the Community AAI.
• OIDC Connection:
  • It's currently unclear whether the Infrastructure Proxy should forward the request for the refresh token to the Community AAI.
  • It's also unclear how the Infrastructure Proxy interacts with the Community AAI when the OAuth client uses the refresh token to obtain a new access token.

A draft document outlining a proposed approach is available at:
https://docs.google.com/document/d/1dg4iLmqbE5AkgRASNu5JhxaZV3jVXSHKmYe3utWN5VU/edit

The document includes sequence diagrams for obtaining and using refresh tokens, relying on token introspection before issuing new access tokens.