I’m working on implementing Hydra in order to have a centralized identity provider / user management app which will be used by multiple of our products (which are setup as separate oauth clients) to authenticate users. The user should be able to login once centrally with open id and seamlessly be able to authenticate with any product without needing to provide credentials again.
One of the requirements we have for compliance reasons is session expiration. Specifically we wish to start a countdown when someone logs in which will eventually mean the session is expired, but we want the clock to be reset if the user is active on one of the products so they don’t get logged out if they are active.
I know hydra has “remember” and “remember_for” fields that can be set when accepting a login challenge which define what the expiration date is set to on the hydra session cookie. However, once set I don’t believe this can then be extended (docs say that it has no effect if “skip” is set to true which would be the case where a session already exists.
So I don’t think setting this will work because if the user is active on one product, they would have to provide credentials again to access a different product if it’s been a while since they last provided credentials.
Is there a recommended way to handle this?
To add a bit of context about the implementation I have so far.
- I’m using backchannel logout so that if a logout is done centrally it kills the session the user agent has with all products.
- Also I know this kind of goes against what the docs say you should do but my login challenger endpoint does itself store some state. As part of login challenge (after they supply correct creds, but before I call hydra to accept the challenge) I make the user choose which organization they want to scope their session to if they are a member of multiple, this goes into the id token. I store this preference in redis with a key containing the “sid” of the login challenge so future logins challenges where the user already is logged into hydra can share that data without the user being asked for it again. But as I’m using hydra’s session id to store against I don’t foresee any major issues with this (I’m not using a session cookie of my own). In fact one solution to the above problem could be to piggy back off this and have products call out to a url within the login provider endpoint to reset the clock for a given hydra sid, and then check this within the login challenge. But would be interested to hear thoughts on this.
Thanks in advance