Hey all - first off, so impressed with Ory, especially love the Software Architecture and Philosophy document - so good. We are looking really closely at Kratos. but we've hit 2 questions i'm having trouble finding an answer to, as we build out this POC. They are: 1. Is there a way to store and keep up to date access tokens, not just the initial one? 2. When a refresh token expired and the user then logs in again, the provider will issue a new refresh token, is this then automatically stored in Kratos?

Hey Alex, 1. Could you clarify "up to date" access tokens? Kratos logs all (active) sessions and requests, login/sign up/ etc. - is that what you mean? 2. See this: How Ory Kratos handles OIDC tokens. Also have a look at the login flow - Ory Kratos works a bit different than some other popular solutions in that it does not use OAuth2.0 for non-API clients.

1. When you first log in, the system will store the access token given from the provider. But if you log in again, and the remote provider gives a NEW access token (e.g. when the old one was manually revoked), this does not appear to be saved anywhere? Or am i missing something? Looking at the code https://github.dev/ory/kratos/blob/22cb0816d7c7f66b9978a6b950361bb4f575d30d/internal/httpclient/model_identity_credentials_oidc_provider.go#L19 And at the PR https://github.com/Wikia/kratos/pull/48 but both still seem to be using InitialAccessToken and there is no CurrentAccessToken

I see. You are looking for this feature: https://github.com/ory/kratos/issues/1912. There is also a PR open for it, so its just a matter of time. Also to be exact here: • Kratos does not store AccessTokens! As described here, it takes the id_token (which is a form of access token) and either creates an identity / or (if identity already present) issues a session. The token is then discarded and never saved in the Kratos DB.