We are trying to build a SSO solution for a suite of applications (mostly standard web apps, but we would like to support SPA). Per requirements, users must be logged out of all applications after 15 minutes of inactivity, requiring a password to log back in. However, using any one of the applications should keep the user logged in to all of them. A timeout warning dialog must appear prior to the session timing out.
I am seeking high level direction here - I can and have been Googling the low level stuff and have a proof of concept Authorization Code Flow working in our Ruby app, using Universal login and Omniauth as per Auth0’s quick start directions, but I have hit many walls on the session handling end. We have implemented a session timeout warning dialog but now we need to port it to use the shared Auth0 session.
So, some questions to start:
How should the 15 minute timeout work? I’m assuming the tenant itself needs a 15 minute inactivity timeout, in order to share it across the apps. So our apps will need to check in with Auth0 every so often to refresh the session. What’s the best practice for that - set a one minute timeout on our access tokens, forcing a refresh token to be sent every 60 seconds? If so, does that logic exist in OmniAuth (I think not?) or is there a SDK I can leverage, or do we need to roll our own? How can an application discover how much time is left in before the user times out - for example, if the user is actively working in app2, how can app1 determine that it should not log out the user? How do we rate-limit our requests to Auth0 here? Examining shared cookies perhaps? Could app1 poll a cookie and call the backend to indicate it should stay alive? Or should the backend do something with Auth0 when it receives a request, and if so, how does that get rate-limited? Or maybe I’m way off track here, knowing that would help too.
Again I’m hoping for guidance that sends us in the right direction. I understand this is a complex scenario and will not have a one-size-fits-all answer. Any guidance appreciated.