OpenId Connect/OIDC Idle timeout design

How to do it ?

Step 1

Set your IdP SSO Session TTL and access token expiration time to your desired idle timeout.

IdP SSO Session TTL = access token exp time = Idle timeout

By having same expiration time for both IdP SSO session and access token, if the front end did not renew the token or if the browser was closed, the session will be invalidated naturally after the idle timeout.

Step 2

Define the activities (front end triggers) that will pro-long the session. Some good examples:

  • Relying Party (RP)’s API request event
  • SPA Page Load event

Step 3

Create interceptor or event listener on the activities define above, that will trigger a function called “Session Check”.

  • Attempt to renew access token when access token is expired
  • Keeping the activities in sync with the IdP SSO session TTL. This is done by invoking session extend API from IdP to extend the session. This API method is usually lightweight but good to implement a rate limit to reduce the traffic to IdP.

Illustration of user activities vs Session

  1. Upon authentication, both access token and IdP SSO session will be valid for 15 minutes
  2. Session check within the rate limit (1 mins), do nothing and no session extension
  3. Session check within the rate limit (1 mins), do nothing and no session extension
  4. As the access token is not expired, we invoke the session extension API from IdP to extend for another 15 minutes
  5. As the access token is expired, we will attempt to renew the token (OIDC silent renewal). As the IdP SSO session is still valid, a new access token will be issued. At this stage, both of them will be reset to 15 minutes expiration
  6. As the last user activity has exceeded 15 minutes, both access token and IdP SSO will be expired and user will need to re-login

Sample Project / Reference Implementation

  • Using angular 9 and oidc-client-js framework
  • Okta as the OP/IdP
  • The github repo (here)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store