I believe that it's specified in the architectural reference framework that it has to re-validate every session, to ensure that the token hasn't been revoked. I'd be happy to be corrected, though!
I believe that it's specified in the architectural reference framework that it has to re-validate every session, to ensure that the token hasn't been revoked. I'd be happy to be corrected, though!