/cc @pedroigor (oidc), @radcortez (config), @sberyozkin (oidc)

In our case, SF will have an expire setting of an access token of 30 min. But sadly won't return it.

@argenstijn That should still be fine, JWT token claims will be analyzed if no explicit expire_at grant response property is not returned. Does the token have an exp claim ?

@sberyozkin
Yes, but this is a situtation where i get an opaque token back from SF. I get no information about the expire setting in the token or in the response. I know it's 30 min. Also i could introspect the access token and then i see the expire time as well. But i wondering how to deal with this situation using the OIDC client.

The other situation i still need to test where a JWT token is given back to me. But waiting for SF team to change the configuration for me. I assume this situation will be handled OK.

@sberyozkin

Sadly enough Salesforce won't return an 'expire_at' attribute and i cannot use a SF JWT token because it is not supported for custom REST API within SF.

So currently i can use the following solution where the access token can be stored for 5 min (or any time!).

It would be nice to configure an expire_at at client side in case the OIDC server does not return an expire_at attribute.
What do you think?

`
@priority(1000)
public class SFOidcClientRequestReactiveFilter extends OidcClientRequestReactiveFilter {

private static final Logger LOG = Logger.getLogger(SFOidcClientRequestReactiveFilter.class);

private final AtomicReference<LocalDateTime> tokenCheckRef = new AtomicReference<>();
private static final int TOKEN_VALID_MINUTES = 5;


@Override
protected boolean isForceNewTokens() {
    if ( Objects.isNull(tokenCheckRef.get()) && tokenCheckRef.compareAndSet(null, LocalDateTime.now())){
        return false;
    }
    
    var expired = tokenCheckIsExpired();
    LOG.infof("%s is access token expired %s",tokenCheckRef.get(),expired);
    if(expired){
        tokenCheckRef.set(LocalDateTime.now());
    }
    return expired;
}


private boolean tokenCheckIsExpired() {
    var tokenCheck = tokenCheckRef.get();
    return tokenCheck != null && tokenCheck.isBefore(LocalDateTime.now().minus(Duration.ofMinutes(TOKEN_VALID_MINUTES)));
}

}`

@argenstijn It would probably be more like expire-in property, as configuring a number of seconds from the epoch would require supporting parsing some data format. But with expire-in=5M means this token will expire in 5 mins and is easy to set up. Does it work for you ?

@sberyozkin Yes, that would be great.

So when would this value be used?
Only if 'expire_at' is missing in the response or does it take precedence over the 'expire_at' attribute?

@argenstijn It would only be considered as a fallback, if the token response has no expires_at or JWT token has no exp claim