Hey all - first off, so impressed with Ory, especially love the Software Architecture and Philosophy document - so good. We are looking really closely at Kratos. but we've hit 2 questions i'm having trouble finding an answer to, as we build out this POC. They are:
1. Is there a way to store and keep up to date access tokens, not just the initial one?
2. When a refresh token expired and the user then logs in again, the provider will issue a new refresh token, is this then automatically stored in Kratos?
03/24/2022, 3:50 PM
Could you clarify "up to date" access tokens? Kratos logs all (active) sessions and requests, login/sign up/ etc. - is that what you mean?
See this: How Ory Kratos handles OIDC tokens.
Also have a look at the login flow - Ory Kratos works a bit different than some other popular solutions in that it does not use OAuth2.0 for non-API clients.
You are looking for this feature: https://github.com/ory/kratos/issues/1912. There is also a PR open for it, so its just a matter of time.
Also to be exact here:
• Kratos does not store AccessTokens! As described here, it takes the id_token (which is a form of access token) and either creates an identity / or (if identity already present) issues a session. The token is then discarded and never saved in the Kratos DB.