Auth0 Home Blog Docs

OIDC Session Timeout vs. token expiry

oidc
mod_auth_openidc
#1

Hello everyone,

I have an non-OAuth/OIDC aware web app behind mod_auth_openidc. In testing, we start getting 401s after 15 minutes. As a result, I am trying to understand the relationship and interaction between the mod_auth_openidc session timeout settings and the SSO and JWT expiry settings in Auth0. Specifically these two parameters:

# Interval in seconds after which the session will be invalidated when no interaction has occurred.
# When not defined, the default is 300 seconds.
#OIDCSessionInactivityTimeout <seconds>

# Maximum duration of the application session
# When not defined the default is 8 hours (3600 * 8 seconds).
# When set to 0, the session duration will be set equal to the expiry time of the ID token.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: session_max_duration
#OIDCSessionMaxDuration <seconds>

Apparently mod_auth_openidc in our environment (I don’t control the config myself) is configured with OIDCSessionMaxDuration set to 15 minutes (I don’t know what OIDCSessionInactivityTimeout is set to), which is obviously where the 401s are coming from. My SSO expiry is 24 hrs, and token expiry is 5 minutes.

If OIDC max session duration is 15 mins, but the user is still logged in (SSO session 24 hrs), I would expect the OIDC session to be re-established automatically. Perhaps we need to trap the 401s and do something to re-establish the session?