Currently examples like this using OIDC with Cookies: https://andrewlock.net/an-introduction-to-openid-connect-in-asp-net-core/ and https://stormpath.com/blog/openid-connect-user-authentication-in-asp-net-core
Dont seem to discuss how OpenID uses refresh tokens or handles expired JWT tokens in cookies.
Currently I have a working example that is able to login no problem but after the exp in the token is expired there is no refresh token sent (even though I receive one) as well as the user not being invalidated. Essentially one login persists indefinitely...
Is the OpenIDConnect middleware meant to check/handle this? I have seen examples where they implement a validator and the "unprotect" method, however I think because I am not just a bearer in my case I would need to implement the protect method also (or at least I get an error when I dont).
I've also looked at this answer here that states that its not handled at all when JWT is in cookies: How to handle expired access token in asp.net core using refresh token with OpenId Connect but it doesnt really say how to send the refresh token? just how to find when one is needed and then "context.ShouldRenew = true;" should fetch a new cookie??
Is this really what is needed also? seems that OIDC auth flow should handle refresh tokens without having to implement my own way of sending the refresh tokens?
Am I off track?
Any help is appreciated.
