Refresh OIDC token periodically during active user sessions #1384
Description
Feature Request: Refresh OIDC token on active user sessions
Is your feature request related to a problem?
Currently, user_oidc does not refresh the OIDC token during an active Nextcloud session. After the initial login, Nextcloud maintains its own PHP session independently from the identity provider (e.g. Keycloak). As a result:
- The identity provider's "last access" timestamp is never updated after login
- The SSO session on the identity provider expires even while the user is actively working in Nextcloud
- If Backchannel Logout is configured, the user gets logged out of Nextcloud despite being active — because the IdP session expired due to inactivity
Describe the solution you'd like
When store_login_token is enabled, user_oidc should automatically refresh the stored token periodically during an active user session (e.g. on each request, or at a configurable interval). This would:
- Keep the SSO session on the identity provider alive as long as the user is active in Nextcloud
- Allow the identity provider's "last access" / session idle timer to be reset correctly
- Make Backchannel Logout work as intended — users are only logged out when truly inactive, not while actively working
Describe alternatives you've considered
The current workaround is to set a very high SSO Session Idle timeout in Keycloak, which is not ideal as it means inactive users are kept logged in for longer than desired.
Environment
- Nextcloud: 32.0.6
- user_oidc: 8.6.1
- Identity Provider: Keycloak
Additional context
This is a common pain point for self-hosted setups using Keycloak + Nextcloud with Backchannel Logout. The expected behavior in a proper SSO setup is that the identity provider session lifetime is driven by actual user activity, not just the initial login time.