Hi, i have configured CA Single Sign-On as OpenID Connect Provider.
In the client i have choose to send back the SMSESSION in the ID Token,
and also i choose to Generate ID Token in the Refresh Token Flow
The SMSESSION is initially sent back in the ID Token payload, anyway during the Refresh Token Flow the same SMSession is sent back.
My expectation was to have a new SMSESSION during the refresh token flow, is this the right?
Is there maybe some interaction between the token validity and the session settings in the realm used to protect the authentication url at the Authorization provider?
Best Regards
Claudio