Do CAS support refreshing an access token without a refresh token (like the feature by auth0)

[Paul Luk]

Hi all,

  recently, i am asked whether web application can obtain a new access token without a refresh token (OpenID Connect 1.0).

  usually, to exchange for a new access token, we need a refresh token. However, exposing the refresh token to client (browser) is not a recommended way.

  i check that auth0 (https://auth0.com/docs/quickstart/spa/vanillajs/05-token-renewal) do offer a feature that seems for catering this issue.

  It seems auth0 maintain a long lived session (in the auth0 server). after login via auth0, it store the refresh token in auth0 backend/server.

if client application needed to obtain a new access token (due to expiry), we invoke the auth0 API to obtain a new one (via ajax request to auth0 web server with cookie/session ID).

  I want to ask:

  1. do CAS offer such feature?

  2. if not, do you think will it be difficult to implement this in CAS by myself?

      i guess what need to do is - store the refresh token in cache, expose API to return access token (given the session ID cookie)...

  thank you.

Paul