logto-io / logto

🧑‍🚀 The better identity infrastructure for developers and the open-source alternative to Auth0.
https://logto.io
Mozilla Public License 2.0
8.94k stars 446 forks source link

feature request: Add the session duration setting of native app #6777

Open KnightJun opened 2 weeks ago

KnightJun commented 2 weeks ago

What problem did you meet?

I created a native type app, and although the refresh token is set to be valid for 90 days, the session is only valid for 14 days, resulting in the user having to log in again after 14 days, which creates a bad experience because other apps are valid for a long time with a single login 我创建了一个原生类型的应用,虽然设置了refresh token有效时间为90天,但是会话的有效时间只有14天,导致14天后用户必须重新登录,这带来了不好的体验,因为其他app都是一次登录长久有效的

Describe what you'd like Logto to have

I wish I could set the length of time the app's session is valid, I can set the session to be permanent 希望能能设置应用的会话有效时长,我可以设置会话永久有效

darcyYe commented 2 weeks ago

Could you please provide the setup of your auth system? So that we can try to reproduce this issue. By looking into the code, seems this should not happen.

KnightJun commented 2 weeks ago

I'm using version 1.20 of logto on a self-hosted server, the corresponding client is flutter, and I've set up a native app on the server to set the validity of the refresh token to 90 days I noticed that when an account logs in, three pieces of data are created in the oidc_model_instances table of the logto database, namely Session, Grant, RefreshToken The expires_at for RefreshToken is 90 days, but the expires_at for Session and Grant is 14 days, which will cause the client not to work after 14 days. I would like to know under what circumstances the expires_at of Session and Grant will be refreshed in the normal flow or how the expiration dates of Session and Grant are set? This will help me to troubleshoot the issue further, thanks!

我使用的是1.20版本的自建服务器的logto,对应的客户端是flutter,在服务器上设置了一个原生应用,设置刷新令牌的有效期为90天 我注意到当一个账号登录的时候,在logto数据库的oidc_model_instances表中会建立三条数据,分别是Session,Grant,RefreshToken 其中RefreshToken的expires_at是90天后,但是Session和Grant的expires_at是14天后,这会导致在14天后客户端无法正常使用 我想知道Session和Grant的expires_at在正常流程中会在何种情况下刷新,或者说Session和Grant的有效期是如何设置的?这能帮助我进一步排查问题,谢谢!

darcyYe commented 1 week ago

You can check source code, and set proper lifespan for Grant and Session. Per our current design, the expires_at value of Grant or Session will not be prolonged automatically.