[FEATURE] Decouple IdP Session from OIDC Refresh Token #38
Description
Is your feature request related to a problem? Please describe.
Currently, Authly's session management is tightly coupled with the OIDC Refresh Token mechanism.
When a user logs in, a session cookie is created which acts directly as the Refresh Token. We use
a 7-day sliding window for rotation. If a user is inactive for >7 days, the token expires, and
the user loses their global authentication state, forcing them to re-enter credentials even if
they just want to access a different application or the Authly dashboard.
Describe the solution you'd like
We should separate the Global Identity Provider Session (SSO) from the Client Application Refresh
Tokens:
- Global IdP Cookie: Introduce a separate, long-lived, secure, HTTP-only cookie (e.g.,
authly_sso) that identifies the user's browser session with the Authly server. - Silent SSO Flow: Update the /authorize endpoint to check for this global cookie. If it exists
and is valid, Authly should skip the login screen and immediately issue a new Authorization
Code for the requesting client. - Decoupled TTL: Allow the Global SSO session to have a longer lifetime (e.g., 30 days) while
keeping OIDC Refresh Tokens on a shorter sliding window (e.g., 7 days) for better security
and UX.
Describe alternatives you've considered
None. This is the safest possible way to do this.