OpenId Connect/OIDC Idle timeout design

YS Yau
2 min readMay 16, 2020

--

Idle/Session inactivity timeout often comes together with the cookie based authentication in the traditional web application but it is not available in the latest trend of token-authentication with SPA + API combination. In certain business application, idle timeout will still be required to better safeguard the end user.

In this article, we are going to explore how we can simulate the idle timeout behavior using the OIDC token authentication. This simulation is only possible with OIDC flow as it consists of the SSO session which we are going to leverage that as the idle timeout session indicator.

How to do it ?

Step 1

Set your IdP SSO Session TTL and access token expiration time to your desired idle timeout.

IdP SSO Session TTL = access token exp time = Idle timeout

By having same expiration time for both IdP SSO session and access token, if the front end did not renew the token or if the browser was closed, the session will be invalidated naturally after the idle timeout.

Step 2

Define the activities (front end triggers) that will pro-long the session. Some good examples:

  • Relying Party (RP)’s API request event
  • SPA Page Load event

Step 3

Create interceptor or event listener on the activities define above, that will trigger a function called “Session Check”.

This function will do the following:

  • Attempt to renew access token when access token is expired
  • Keeping the activities in sync with the IdP SSO session TTL. This is done by invoking session extend API from IdP to extend the session. This API method is usually lightweight but good to implement a rate limit to reduce the traffic to IdP.

Illustration of user activities vs Session

User activities by numbers:

  1. Upon authentication, both access token and IdP SSO session will be valid for 15 minutes
  2. Session check within the rate limit (1 mins), do nothing and no session extension
  3. Session check within the rate limit (1 mins), do nothing and no session extension
  4. As the access token is not expired, we invoke the session extension API from IdP to extend for another 15 minutes
  5. As the access token is expired, we will attempt to renew the token (OIDC silent renewal). As the IdP SSO session is still valid, a new access token will be issued. At this stage, both of them will be reset to 15 minutes expiration
  6. As the last user activity has exceeded 15 minutes, both access token and IdP SSO will be expired and user will need to re-login

Sample Project / Reference Implementation

  • Using angular 9 and oidc-client-js framework
  • Okta as the OP/IdP
  • The github repo (here)

--

--

No responses yet