Support OIDC Refresh Tokens for Session Management

Description

User Story

As a user,

I want to use OIDC refresh tokens to extend my authentication session,

So that I don’t have to log in frequently while maintaining security.

Problem Description

Users are forced to re-authenticate frequently, causing usability issues, especially for long-running database sessions.

Acceptance Criteria

  • The server can request and use OIDC refresh tokens when available.

  • Sessions remain valid as long as the refresh token is valid.

  • Expired or revoked refresh tokens result in session termination.

Design / Solution Proposal

  • Implement a mechanism to request new access tokens using refresh tokens.

Note from MongoDB documentation ( ) :

Requested scopes
Optional

Tokens that give users permission to request data from the authorization endpoint. If you plan to support refresh tokens, this field must include the value offline_access.

If your identity provider is Microsoft Entra ID, Atlas requires this setting. Add default scope, which is <application client id>/.default.

For each additional scope you want to add, click Add more scopes.

  • Store refresh tokens securely in memory for active sessions.

Environment

None

Activity

Show:

radoslaw.szulgo April 8, 2025 at 12:21 PM

Closing as not needed - it’s handled by clients.

Konstantin Trushin April 2, 2025 at 12:36 PM

Duplicating here my comment from Slack:

Please correct me If I'm wrong, but to the best of my knowledge it is a client that requests a refresh token (usually together with the first access token after authentication) from an IdP. When the access token expires, a client sends a refresh token to the IdP to fetch a fresh access token without authentication. After getting a fresh access token, the client sends the it to a server.
Thus a server doesn't need to generate or even know about refresh tokens,  They are the business of a client and an IdP.

Won't Do

Assignee

Reporter

Labels

Needs QA

Needs Doc

Priority

Created February 14, 2025 at 2:18 PM
Updated April 8, 2025 at 12:21 PM
Resolved April 8, 2025 at 12:21 PM