As a route deployer, I want to continue to use cached values while being disconnected from AM, in order to provide a degraded mode where known clients (using entries from the cache) can still function properly. Note that this introduce a risk window where IG can grant access to resources while the presented token may have been revoked on AM (or the policy may have changed on AM).
- New value in the strategy selector for both SSO and PEF
- When disconnected, SSO/CDSSO/PEF continue to return responses in accordance with the cache content
- Cache is cleared once reconnected in order to force refresh of entries
- If a token is revoked, or a policy changed while disconnected, IG continue to respond as if the token was still valid
- Entries expires accordingly to their natural timeout value (so tokens that are to be expired while we're disconnected are naturally removed from the cache)