Description

Right now, in the standard-token exchange, we added support for creating new user sessions for some use-cases. This is the case when switch "Refresh token for token exchange" is enabled for the token-exchange and refresh-token is requested and there is no existing user session yet for the subject_token. In more details, there are cases:

• The subject_token does not have sid claim at all and is not linked to session. This can be the case when it is from OAuth2 client credentials grant

• The subject_token has sid claim, which points to the offline-session, but the token-exchange itself does not request offline-session. In this case, we are creating new "online" session

We discussed to avoid creation of user sessions to avoid issues with logout, revocation etc.

Few more points from @rmartinc which we should do: For V2 I would return an error (if refresh token is requested and it's not possible, better returning an error). I would also change the current property in the client standard.token.exchange.enableRefreshRequestedTokenType to be a select with values off and current online session (or similar) instead of a boolean. If we later need to improve this (not part of this GH issue), we can have follow-up issue and create more values like create online session if needed and create online or offline if needed (just an example).