By: Bart Peeters user 04 Sep 2020 at 4:22 a.m. CDT

2 Responses
Bart Peeters gravatar
When the user does a http GET request to /token to get a new refresh token we would like to be able to do a check to an external api to verify the user associated to the refresh token is still active. What custom script type should I use for this? Custom Authentication and Postauthn scripts do not seem to be executed when getting a refresh token. The custom script should stop Gluu from returning a new refresh token. Kind regards, Bart

By Michael Schwartz staff 14 Sep 2020 at 11:18 a.m. CDT

Michael Schwartz gravatar
Are you using reference tokens or JWT tokens? If JWT, then the introspection script will run. If reference tokens, then perhaps you should just wait for the client to hit the introspection endpoint.

By Bart Peeters user 21 Sep 2020 at 3:51 a.m. CDT

Bart Peeters gravatar
We are mainly using the id token. In our current configuration the id token expires after 30 days, then the client should make a /token GET request which returns a new id token (using openidScopeBackwardCompatibility: true) which is valid for the next 30 days. Our refresh tokens expire after 5 years. We would like to run a custom script whet this GET /token is executed, or when an id JWT token is created.