I'm wondering if anybody can shed some light on how Identity Server 4 handles the Resource Owner Password Credentials (ROPC) grant type. At my company we have our own implementation of Identity Server 4 that we use to authorize access to our API's and to login to our web app. With our mobile applications, the product requirement is that we must provide a native/in-app login experience for Android/iOS without opening the browser as they have deemed that opening the browser to login once a quarter is too much of a hit to UX. However this does leave me with some questions.
Refresh tokens are typically long lived. We have a requirement to make users reset their password every 90 days. Is there a way for me to hook into the refresh token usage to check if my user's password has expired before issuing them a new access token? I know the profile service is invoked in other flows like the authorization code + PKCE flow but I don't know if it is applicable here.
There is a flag when defining clients called UpdateAccessTokenClaimsOnRefresh. What does this flag do and will it help me in my use case?
Is there a better way to achieve a native login experience (not opening a browser and staying within the application) to authenticate and access our API's?
What we ended up doing was setting UpdateAccessTokenClaimsOnRefresh = true and then when our IProfileService implementation gets invoked, we made it such that the call to IsActive() would return false if the user's password had expired.