-
-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session timeouts despite SSO_AUTH_ONLY_NOT_SESSION #45
Comments
Hey, The doc is out of date, the refresh token was lowered to a 7 days idle timer (The one year was judged as too long, cf this discussion). With activity, it can be extended indefinitely. But issue might be that not all activity trigger a call to refresh the tokens. |
Ah yes, I remember reading that disussion. I believe it is a misunderstanding and the current behavior does not match the non-SSO experience. According to this bitwarden article "Offline Vault sessions will expire after 30 days. Except for mobile client applications, which will expire after 90 days.". What happens with the SSO patch right now is when the I suggest raising this to 90 days with a reference to that article. Unfortunately I couldn't find the code in the client that deals with the case of the |
The current Vaultwarden non-SSO experience use a secret linked to the I isolated the addition of the JWT Refresh Token in a separate PR. Will mention the suggestion of raising the expiration to 30 days. |
Notice same behaviour too |
I had some feedback from Blackdex in the other PR, I made the switch to 30 days in it and in So it will be in the next release, might wait a bit since I already had integrated the latest webvault change, so I might wait for the next Vaultwarden release. |
Hey forgot to mention it on the changelog but it was released with |
So the behavior is now the following: |
No 30 days (which can be extended) for all. |
How it can be extended? |
Each call to the |
Hey, I've been running the current version of your sso-support branch for a few weeks now on a test installation. I have set
SSO_AUTH_ONLY_NOT_SESSION: "true"
because my IdP does not return arefresh_token
.But while the last version of the PR I had touched never logged anyone out, I am seeing frequent logouts after a few days of no contact with the server now.
SSO.md claims the generated refresh tokens are valid for a year, yet the generated tokens actually seem to be valid for only 7 days.
This appears to be a regression or am I holding it wrong? The non-sso vaultwarden does not return a JWT as refresh token but simply some opaque data as far as I can tell and the client has never logged me out for not having contacted the server a few days.
The text was updated successfully, but these errors were encountered: