Currently, when a user logins with OIDC Huly issues a token to the user for an entire year. While that token is active Huly never again checks that the access token is still valid nor does it ever refresh the token. This means that even if a user is fully deleted from the idp, they would still be able to access Huly for any entire year.
Needless to say this isn't particularly secure. Respecting the OIDC token lifetime and using refresh tokens would be better.
Currently, when a user logins with OIDC Huly issues a token to the user for an entire year. While that token is active Huly never again checks that the access token is still valid nor does it ever refresh the token. This means that even if a user is fully deleted from the idp, they would still be able to access Huly for any entire year.
Needless to say this isn't particularly secure. Respecting the OIDC token lifetime and using refresh tokens would be better.