Skip to content

Add periodic validation of auth tokens to expire sessions for deactivated users #1051

New issue
New issue
Open
Open
Add periodic validation of auth tokens to expire sessions for deactivated users#1051
@whoAbhishekSah

Description

@whoAbhishekSah
whoAbhishekSah
opened on Jul 3, 2025

Description

The Authenticate and AuthCallback APIs support multiple Authentication Strategies, such as mailotp and Google login. Once the login is successful, a session is created in the database. The session ID has an expiry time of 1 month.

The Authenticate call initiates a StartFlow procedure, which creates a Flow with the configuration settings of the strategy. Once the AuthCallback is called, the respective flow entry is consumed, and a session is created with the flow ID in the database. The session ID is sent to the browser client with Cookies in the Response header after encoding it.

For the Google strategy, the AuthCallback function fetches the authentication token for the user from the Google Authentication server. Frontier uses this token to retrieve the user's profile information (such as email address, etc.).

frontier/core/authenticate/service.go

Lines 660 to 667 in 33bbf4a

authToken, err := idp.Token(ctx, request.Code, flow.Nonce)
if err != nil {
return nil, err
}
oauthProfile, err := idp.GetUser(ctx, authToken)
if err != nil {
return nil, err
}

After that, it creates the session. The session is valid for the next 30 days, even if the user is no longer valid.

Approach

Google strategy

One approach could be to store the refresh token with session metadata.

// In applyOIDC in core/authenticate/service.go
  authToken, err := idp.Token(ctx, request.Code, flow.Nonce)
  if err != nil {
      return nil, err
  }

  // Get user info and create/get user
  oauthProfile, err := idp.GetUser(ctx, authToken)
  if err != nil {
      return nil, err
  }

  newUser, err := s.getOrCreateUser(ctx, oauthProfile.Email, oauthProfile.Name)
  if err != nil {
      return nil, err
  }

  // Create session with tokens
  session, err := h.sessionService.Create(ctx, newUser.ID)
  if err != nil {
      return nil, err
  }

  // Store both ID token and refresh token
  session.Metadata["id_token"] = authToken.Extra("id_token").(string)
  session.Metadata["refresh_token"] = authToken.RefreshToken
  session.Metadata["oidc_provider"] = flow.Method

  return &RegistrationFinishResponse{
      User: newUser,
      Flow: flow,
  }, nil

Mailotp strategy

  • If authenticated via email OTP, require re-verification every X days

Benefits:

  1. Get new access tokens without requiring user re-authentication
  2. Detect when the user's access has been revoked (refresh will fail)
  3. Maintain longer sessions while still ensuring the user's access is valid

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions