travisghansen
commented
3 years ago That setting is only for the lifetime of the cookie (entirely user agent side and doesn’t really impact the server’s behavior). session_expiry is what manages the server-side aspect.
- Essentially yes. It’s slightly more nuanced as if the tokenset has a refresh token with an expiration I believe it will use that.
- Yes, this is essentially what the default settings do. There can be some provider specific details going on and also changes in behavior based on scopes used. For example some providers give a refresh token without an expiration. In some cases they have expiration but a new refresh token is issued during the refresh sequence. The behavior can be quite nuanced.
All of the above is based on activity by the user as well. If a refresh token expires but the user does no activity during the refresh window then the session may disappear on the server-side before the user actually refreshes resulting in a new auth sequence on the next request.
I personally configure the windows relatively large in my setup both with the provider and eas. Combine that with userinfo (and token introspection assuming oidc) validation and you’re pretty safe. The project also supports backchannel logout scenarios which may tie into your overall approach.
nonefaken
Hello,
i continue testing of Oauth2 flow with EAS, Envoy ExtAuthz and Okta as IdP.
my current interest is "cookie_expiry: true" setting in config_token. It states that EAS session will expire with tokens.
It seems that it forces EAS session to expire based on access_token lifetime.
Questions:
is above statement correct?
is it possible to configure that EAS session will continue to refresh automatically without redirect and expire only after EAS is not able to obtain new refresh/access token from IdP? So that EAS session expire would more less match access/refresh expire policy set in Okta's custom authorization server.
Thank you!