...
3) The reauthentication token can be lost in transit back to the client, along with the session being returned. When this happens the client is in a "failed reauthentication" state and these improvements are primarily designed to ensure the client can recover from this state.
We are seeing errors where When a reauthentication request succeeds, but then the client fails to get back the session (e.g. due to network error). When that happens , we create a new reauth token and store the old token in Redis. While the client can recover by resending the old reauth token, and they will get a the session, the session we send back does not include the new reauth token (we don't have it due to #2 above). We just return the old token in the session. As a result, at some point, that user will still have to authenticate when the cached reauthentication token expires from cache.
...