Session termination "requirements"

[gffletch]

For mobile apps we'll need to address offline_access scopes requested by the mobile apps as that generally means the issued refresh_token is NOT connected to a "signed in session".

[dhs-BI]

Thanks @gffletch. I think we can add this to the SLx levels as a part of the descriptive text below the table in ipsie-levels.md. If you have suggestions, please author a PR.

[brockallen]

I know the IPSIE levels doc is meant to be high level right now, but thinking of the actual mechanics... how do you imagine the Identity Service reaching out to ping the mobile/native app? Are you expecting some sort of push plumbing to be in place? Is that the standard here? TIA. :)

[aaronpk]

Right now, OIDC back-channel logout says refresh tokens issued with the offline access scope should not be revoked. We just need to ensure they are revoked in the context of session termination in IPSIE

[brockallen]

Right now, OIDC back-channel logout says refresh tokens issued with the offline access scope should not be revoked. We just need to ensure they are revoked in the context of session termination in IPSIE

That's easy enough to do at the Identity Service for refresh tokens. But there might still be a lingering access token at the mobile/native app. But yea, I guess this thread was for the offline_access semantic... so I guess that's covered.