element-hq / matrix-authentication-service

https://element-hq.github.io/matrix-authentication-service/
GNU Affero General Public License v3.0
43 stars 10 forks source link

Follow upstream Idp access + refresh token validity #3234

Open guyguy333 opened 2 months ago

guyguy333 commented 2 months ago

Is your feature request related to a problem? Please describe.

Currently, it looks like sessions I'm running with MAS and related to my upstream IdP are infinite lifetimes despited my upstream Idp has relatively short access token and refresh token validity values. They're not following Idp refresh token validity and access token validity.

Describe the solution you'd like

I would expect MAS to follow Idp refresh token validity + access token validity as a end date of session with MAS. I also expect devices related to MAS to all have a finite lifetime correlated to IdP information. What would be great, is to have an option to force user to login each time you add a new device or you need to login again to refresh an existing session on a device, so all devices (eg: a desktop and a mobile) are not logout at the same time, ie each device should have its own session lifetime. Otherwise, it would be less user-friendly for user to validate device using another existing session.

Describe alternatives you've considered

None. Maybe a configuration is missing on my side.

Additional context

sandhose commented 1 month ago

This is a relatively common behaviour with any software which have SSO support through OIDC. I haven't seen any software doing that, instead they usually rely on other mechanisms, like OpenID Connect Backchannel Logout, which is a server-to-server notification of the session ending on the IdP side.

Support for this is tracked in #2090