session extension hook
Summary
This feature is asked by a customer, but can be interresting for other, especially if it is designed in a generic way.
The main feature is to intercept some events and trigger a SSO session extension.
Design proposition
After some basic researches, I didn't find any sort of norms or standards for this.
Here is the design proposition:
- the hook will intercept some events. Possible events are:
- when user call /ping endpoint on the portal, with a valid cookie
- when user authenticates,
- when user reauthenticates,
- when user asks for a "refresh my rights from the portal",
- when user is asked for a session upgrade (he must enter a second factor for accessing a more secure application)
- when an application sends a direct call to /ping, with the user session id passed in the Authentication header (we should think about security risks. Maybe replay attacks?)
- when refreshing an access token with a refresk token
- any other event I haven't think about?
The list of triggering events must be customizable.
- it possibly triggers two actions:
-
if timeoutActivity is set, it performs the same actions as in
Handler/Main/Run.pm
(functionretrieveSession
): it verifies if session is valid, checks the session is not expired (timeoutActivity), and updates _lastSeen in session. Note: thus it may be interresting to factorize this code if possible. -
it triggers an AT refresh thanks to the refresh token. The list of OIDC provider on which it is triggered must be customizable. Obviously, the refresh must occur only if the user has authenticated against the given OIDC provider.
Do not hesitate to discuss this proposition and give your ideas.