Hi @mdobron17,

Thanks for writing in! For what it's worth, the way you are approaching it now is a great way to do it. When you log in to GitHub with an OIDC IdP, we store away the refresh token, and don't auto-refresh the GH JWT. That is up to you, as the developer.

It's worth mentioning that even if we built functionality to store the Refresh Token and the Access Token, the JWT Access Token eventually expires and needs to be refreshed, which would put the burden back on you to refresh the token.

You're free to open a GH issue to suggest we expand how we handle tokens from 3rd party IdPs, if you'd like. You can do so here.

If you'd like a little more of a deep dive into configuring OIDC with GitHub, we have a post on that here.

Hopefully this helps, please let me know if you have any more questions!