OIDC refresh in pre-release (api session id does not match service session api session id) #1215
Description
Hi, thanks for all your work on this very neat project.
I have just noticed in latest pre-release Ziti Tunnel SDK (running Ziti 1.7.0 + Ziti Tunnel SDK 1.7.15) with an external JWT signer for primary authentication, after successful OIDC token refresh for an authenticated user session (both internal and external token refresh success), I see the following error in logs and the user is no longer able to reach the service.
I understand I am running the latest pre-releases, where bugs might be expected but I was just curious to see if you think I might be doing something wrong on my end here. Feel free to silently close/disregard this if I'm jumping the gun.
ERROR ziti-sdk:connect.c:1052 connect_reply_cb() conn[1.73/54G80If5/Connecting](test-service) failed to connect, reason=failed to create service token from JWT: api session id (c2f111c3-1e16-438e-9448-09b898f7f75b) does not match service session api session id (ab841a7e-9cbf-47e3-923a-c53849135493)
Initial login is fine, and this issue occurs only after external refresh (of which appears to be triggered by expires_in on the original received IDP payload). I've increased the expires_in sent from my IDP to mitigate for now. Is there something I may need to adjust at my external IDP for new Ziti versions, or is this possibly a bug or known issue with the external OIDC refresh?