Some OAuth clients are using refresh tokens that are valid for a long period (e.g.up to 90 days).
Currently the change of the signing certificate requires users of these applications to re-authenticate on the IDP the next time thy hit the application - even if their refresh token is only a few days old. This causes load on the systems and user confusion.
It is because the validation of refresh (and access) tokens fails after changing the signing certificate. This current behavior was confirmed by case 02503042.
To support a certificate rollover without invalidating active OAuth refresh tokens, NAM IDP should support two OAuth signing certificates in parallel for a period of time like:
- after adding a new signing certificate all new tokens are generated using this new signing certificate,
- but existing refresh tokens are also checked against the old/previous signing certificate in addition to the new/current signing certificate