With the identity integration, we did not originally scope logging out. We should implement this in the expected way with identity, using the refresh tokens. Specifically, when refreshing a token, using the response from identity to determine whether or not the Optimize Cookie should be refreshed. To do this while reusing the existing Optimize token logic, we would need to:

• have the token lifetime configured to match Identity (default in Identity is five minutes, but is also configurable)
• Store the refresh token as a claim on the JWT cookie used by Optimize
• Use identity to refresh the token when it's near or has expired

Justification:

Makes Optimize consistent with other cloud products and aligns us with the expected behaviour of Identity

Note:

• This should be backported to the 3.9 maintenance branch

This is an important feature to test very thoroughly as it relates to authentication/security

Testing notes:

• If a user is logged out of Identity, the Optimize token does not get refreshed and the user session is invalidated
• When checking for cookie refresh, the token is refreshed with Identity if it has expired. If it fails, the session is invalidated
• The refresh token is a claim on the Optimize cookie JWT
• If the renewal of tokens with identity fails, the user should no longer have access to Optimize
• If a users Identity token expires (by default after 5 mins) but they still have an Optimize cookie, the refresh with identity should result in a new Optimize cookie being set
• If a user logs in to Optimize and has authorization for the application, but then authorization is revoked, the user should lose access to Optimize during token verification/refresh