Content
View differences
Updated by Jan Sandbrink 5 days ago
**As an** administrator integrating our application with an OIDC-compliant Identity Provider (e.g., Keycloak, Auth0)
**I want to** verify the validity of the user’s session at the IdP from within our application
**so that** we can synchronize logout behavior and avoid the user remaining logged into our app after their IdP session has expired
**Acceptance criteria**
* When the session at the IDP has ended (either due to expiry or logout), the user's session at OpenProject should end as well
* Interacting with OpenProject should keep the IDP session "alive"
* TBD: Allow users to disable new behaviour?
**Technical notes**
* A session validation mechanism is necessary, for example:
* OIDC check\_session\_iframe (per [OIDC Session Management spec](https://openid.net/specs/openid-connect-session-1_0.html)), or
* A silent frontend re-authentication flow (prompt=none) returning the current session state, or
* a silent backend re-authentication flow using the refresh token **(preferred)**
* Handling of edge cases such as blocked third party cookies (a common problem in the session\_iframe solution)
* Should polling interval for checking session state be configurable or derived from IDP (e.g. access token expiry)?
* Options
* For prompt=none: Must support a GET /authorize request via a hidden iframe with an id\_token response type and no user interaction
* Requires a redirect URI in the RP app to handle silent authentication responses
* For check\_session\_iframe: The IdP must expose check\_session\_iframe in the discovery document and support JS session polling
* The app should invalidate the local session if the IdP session is no longer valid
* CORS and third-party cookie restrictions are a known problem for this option
* Which providers would we expect this to be supported?
* Keycloak (openDesk)
**Permissions and visibility considerations**
* Users of the application are indirectly affected (e.g. by automatic logout behavior)
<br>
**Translation considerations**
* _Key terms and phrases in the key languages_
**Out of scope**
* <br>
**I want to** verify the validity of the user’s session at the IdP from within our application
**so that** we can synchronize logout behavior and avoid the user remaining logged into our app after their IdP session has expired
**Acceptance criteria**
* When the session at the IDP has ended (either due to expiry or logout), the user's session at OpenProject should end as well
* Interacting with OpenProject should keep the IDP session "alive"
* TBD: Allow users to disable new behaviour?
**Technical notes**
* A session validation mechanism is necessary, for example:
* OIDC check\_session\_iframe (per [OIDC Session Management spec](https://openid.net/specs/openid-connect-session-1_0.html)), or
* A silent frontend re-authentication flow (prompt=none) returning the current session state, or
* a silent backend re-authentication flow using the refresh token **(preferred)**
* Should polling interval for checking session state be configurable or derived from IDP (e.g. access token expiry)?
* Options
* For prompt=none: Must support a GET /authorize request via a hidden iframe with an id\_token response type and no user interaction
* Requires a redirect URI in the RP app to handle silent authentication responses
* For check\_session\_iframe: The IdP must expose check\_session\_iframe in the discovery document and support JS session polling
* The app should invalidate the local session if the IdP session is no longer valid
* CORS and third-party cookie restrictions are a known problem for this option
* Keycloak (openDesk)
**Permissions and visibility considerations**
* Users of the application are indirectly affected (e.g. by automatic logout behavior)
<br>
**Translation considerations**
* _Key terms and phrases in the key languages_
**Out of scope**
* <br>