Here is my scenario. I used Auth0 as OP for testing purposes. There are two Relying Party (RP) clients using its services. ExternalClient to which I don’t have code access. I suppose it is using the normal authentication middleware with Authorize headers to access protected endpoints.
The second client is MyClient, a Web API RP implemented by me. Its whole purpose is to authenticate end-users with Auth0, such that if users provide their credentials in MyClient, they don’t need to enter their credentials again when signing into ExternalClient.
MyClient doesn’t have any protected endpoints, and it is not using the normal authentication middleware (ASP.NET Core). It just makes calls to OpenID Connect 1.0 endpoints: /authorize, /token and /endpoint by using the IdentityModel 2 client library.
All is working fine and SSO is achieved. MyClient makes a call to /authorize, and Auth0’s authorization server creates a SSO session. I don’t need to provide the credentials again when signing into ExternalClient.
The problem is that at some point the session expires. Auth0 has configuration for user inactivity timeout. When this time is expired I need to enter the credentials again in ExternalClient. There is a mechanism to refresh SSO sessions by using prompt=none on the /authorize endpoint, which prolongs sessions while calls are being made. Nevertheless, at some point the SSO session will expire. Auth0 maximum is 30 days for SSO session expiration.
I tried to use the refresh token flow after the SSO is expired. Although I get a new access token which I can use to call /userinfo and return valid claims, it does’t add a SSO session. The other OAuth 2.0 flows, Password and Client Credentials have similar outcomes. They all just return an access token, but it is useless in my scenario since MyClient doesn’t have protected resources, and in fact ExternalClient should be the appropriate receiver for the new access token.
Is it possible to add a new SSO session when the current one is expired? Can the refresh be used somehow for this purpose? How can this SSO permanent login be achieved (no client side scripts)?
The SSO session will be extended only when the interactive authorization endpoint is used (/authorize). Interactions through the /oauth/token endpoints don’t have any effect on the session (nor they require or use a session to work).
As per the previous answer, refresh token not being usable for this use case, the only solution I can think of to work around the inactivity timeout and mimic user making requests directly in browser is the following.
Run a service on the computer on which the client browser resides which makes calls to ChromeDriver (or Selenium WebDriver). This driver, which can run headless, can then also make scheduled HTTP requests to /authorize endpoint, passing prompt=none parameter. This would essentially mimic user activity, as in the case when an actual user would navigate around a website and there would be an iframe tag in the page to make requests to the /authorize endpoint.
Of course there would also be the Require log in after setting, but this is hit only rarely. And also it is just an idea, but I don’t see any impediments for it at the moment.
How long does the session last in the “ExternalClient” if you can make the session last less than three days, every time the application asks for a new token the window will be extended.
But I’m guessing you can’t change that, otherwise you could set that session to last 30 days or more.
Anyway, hopefully long-lived sessions will come soon and you won’t need to rely on services to keep the session active.
The session will last 8 hours in ExternalClient. So Inactivity timeout: 8 hours, Require log in after is longer, I suppose at least one week.
Not sure what do you mean regarding “if you can make the session last less than three days, every time the application asks for a new token the window will be extended”
Not sure what do you mean regarding “if you can make the session last less than three days, every time the application asks for a new token the window will be extended”
If your “ExternalClient” sees that the session for the user has expired after 8 hours (and assuming the user keeps working on the app), then the app will ask a new authentication to Auth0. When this happens, the 3 days of inactivity window (assuming you kept the maximum value) in Auth0 will be reset, and for three days the user won’t have to authenticate again. As long as this keeps happening before the 3 days period expire, then the user won’t have to authenticate for 30 days (or whatever you configured as “Require log in after”).