Here is my scenario. I used Auth0 as OP for testing purposes. There are two Relying Party (RP) clients using its services. ExternalClient to which I don’t have code access. I suppose it is using the normal authentication middleware with Authorize headers to access protected endpoints.
The second client is MyClient, a Web API RP implemented by me. Its whole purpose is to authenticate end-users with Auth0, such that if users provide their credentials in MyClient, they don’t need to enter their credentials again when signing into ExternalClient.
MyClient doesn’t have any protected endpoints, and it is not using the normal authentication middleware (ASP.NET Core). It just makes calls to OpenID Connect 1.0 endpoints: /authorize, /token and /endpoint by using the IdentityModel 2 client library.
All is working fine and SSO is achieved. MyClient makes a call to /authorize, and Auth0’s authorization server creates a SSO session. I don’t need to provide the credentials again when signing into ExternalClient.
The problem is that at some point the session expires. Auth0 has configuration for user inactivity timeout. When this time is expired I need to enter the credentials again in ExternalClient. There is a mechanism to refresh SSO sessions by using prompt=none on the /authorize endpoint, which prolongs sessions while calls are being made. Nevertheless, at some point the SSO session will expire. Auth0 maximum is 30 days for SSO session expiration.
I tried to use the refresh token flow after the SSO is expired. Although I get a new access token which I can use to call /userinfo and return valid claims, it does’t add a SSO session. The other OAuth 2.0 flows, Password and Client Credentials have similar outcomes. They all just return an access token, but it is useless in my scenario since MyClient doesn’t have protected resources, and in fact ExternalClient should be the appropriate receiver for the new access token.
Is it possible to add a new SSO session when the current one is expired? Can the refresh be used somehow for this purpose? How can this SSO permanent login be achieved (no client side scripts)?