Offline sessions do not work with delegated auth providers (saml, oidc...), choice and combination
The current implementation of offline sessions (see #813 (closed)) calls getUser to refresh user attributes when the refresh token is exchanged for a new access token.
This is necessary because these sessions can be very long lived, and we might want them to "see" when an attribute is updated.
When using a delegated provider (SAML, OIDC, facebook...), getUser/setSessionInfo will not work outside of a a complete authentication flow. Which causes an error:
[debug] OpenID Refresh Token: 27f0e30f46e54f4c37bc439c23d49566e529615a853b099f9e83f143402e949b [debug] Processing getUser [debug] Returned error: 9 (PE_FIRSTACCESS) [error] Could not resolve user: df8a8d4d-e26d-4d5f-a323-ea35e17f26ce [warn] [anonymous] invalid_grant
I can see several fixes:
Ignore getUser errors when refreshing the token
Avoid refreshing the user info entirely: we might need an "isRefreshable" method in each auth provider that tells LLNG if we can call UserInfo on this provider outside of an auth context. This could also be useful for cases like "Refresh My Rights" and password reset.