I've started using jetty-openid for authentication (with jetty 10), and as far as I can see, once a user has authenticated successfully with openid, their session stays authenticated for the lifetime of the session (based on idle time or cookie exipry).
I would have thought ideally the session should only remain authenticated until the expiry time returned with the access token is reached. At that point the refresh token should be used to obtain a new valid access token.
Does that sound right? Is it a feature that might be developed?