We've first decided to put a 1hour TTL on authorized clients entries but finally decided to remove and change the behavior in
We now observe that in user concurrent sessions the authorized client could be removed while a session still needs it. This has been observed during load testing which was using the same Nuxeo user but different Previewer session. This is because the authorized client in persisted with the principal name and not the session id, thus the conflict.
The idea is to put back a TTL, but this time without any maxIddle, and without a fix duration. We will set the TTL to the access token expiration time + 24 hours.
As it the session will expire and be evicted before the authorized client, the authorized client won't be evicted if the access token needs to be refreshed after the session expiration (30min).