starred/pocket-id-pocket-id-1
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-11 07:42:58 +03:00
Code Issues 122 Packages Projects Releases 10 Wiki Activity

Feature: Token Session Duration customization #104

New Issue
Closed
opened 2025-10-07 23:53:16 +03:00 by OVERLORD · 5 comments
OVERLORD commented 2025-10-07 23:53:16 +03:00
Owner
Copy Link

Originally created by @BizkitCake on GitHub.

Reproduction steps

Disclaimer: I'm not devops nor programmer, former QA. Selfhosting is my hobby.

Put 1440 value was put in Session Duration in UI in 'Application Configuration'.
Application Configuration - Session Duration example (it's grayed out because of UI_CONFIG_DISABLED=true value, that's expected)
Image

Everything is set up in Docker compose. Pocket ID is pretty basic. Here's some env vars for it

    environment:
      - ENCRYPTION_KEY_FILE=/run/secrets/pocket_id_key
      - PUID=${PUID}
      - PGID=${PGID}
      - MAXMIND_LICENSE_KEY=${MAXMIND_LICENSE_KEY}
      - APP_URL=https://id.${DOMAINNAME_3}
      - TRUST_PROXY=true

I've also tried to put there two more params to hardcode the config:

 - SESSION_DURATION=1440
 - UI_CONFIG_DISABLED=true

OIDC client config is pretty basic: callbacks and callbacks-logout urls (*.domain.com & domain.com) as well as PKCE enabled

Middleware OIDC described like this:

http:
  middlewares:
    middlewares-oidc-auth:
      plugin:
        traefik-oidc-auth:
          Provider:
            Url: "https://id.domain.com"
            ClientId: "blablablaClientID"
            ClientSecret: "blehblehblehClientSecret"
            UsePkce: true
          Scopes: ["openid", "profile", "email"]

          Secret: "blablablasecret"

          SessionCookie:
            Domain: ".domain.com"
            MaxAge: 86400
          RefreshToken:
            Enabled: true

However when I check OIDC Data Preview in Pocket ID webui I see that exp-iat time is just 1h both for ID Token and Access Token.
Access Token example:
Image

Overall, it works just fine. It covers my apps with OIDC auth flow. However when I work with n8n or grafana - I usually do that for more than 1h. And at the moment of re-auth my apps stops responding or dropping some artifacts, so I have to open id.domain.com on in another tab to preserve the progress in my actions.

Expected behavior

SESSION_DURATION should change according to the setting

Actual Behavior

Consistent 1h session regardless of configs

Version and Environment

Stack:
Everything is in docker

  • traefik (3.5)
  • OIDC Plugin (v0.13.0 by Sevensolutions) - enabled in traefik config with CLI commands
  • pocket-id (1.6.4)
  • some other software to cover with oidc auth (grafana, n8n, anything)

OS: Debian 12 (LXC Container) / x86_64

Log Output

2025-07-27T17:55:20+03:00 ::1 - 400 - id.domain.com POST - /api/oidc/token Go-http-client/1.1
in my access.log (filtered)

Originally created by @BizkitCake on GitHub. ### Reproduction steps _Disclaimer: I'm not devops nor programmer, former QA. Selfhosting is my hobby._ Put 1440 value was put in _Session Duration_ in UI in '**Application Configuration**'. Application Configuration - Session Duration example (it's grayed out because of UI_CONFIG_DISABLED=true value, that's expected) <img width="652" height="170" alt="Image" src="https://github.com/user-attachments/assets/f43130af-f7f0-4d2f-9e8d-2acbb9c2e751" /> Everything is set up in Docker compose. Pocket ID is pretty basic. Here's some env vars for it ``` environment: - ENCRYPTION_KEY_FILE=/run/secrets/pocket_id_key - PUID=${PUID} - PGID=${PGID} - MAXMIND_LICENSE_KEY=${MAXMIND_LICENSE_KEY} - APP_URL=https://id.${DOMAINNAME_3} - TRUST_PROXY=true ``` I've also tried to put there two more params to hardcode the config: ``` - SESSION_DURATION=1440 - UI_CONFIG_DISABLED=true ``` OIDC client config is pretty basic: callbacks and callbacks-logout urls (*.domain.com & domain.com) as well as PKCE enabled Middleware OIDC described like this: ``` http: middlewares: middlewares-oidc-auth: plugin: traefik-oidc-auth: Provider: Url: "https://id.domain.com" ClientId: "blablablaClientID" ClientSecret: "blehblehblehClientSecret" UsePkce: true Scopes: ["openid", "profile", "email"] Secret: "blablablasecret" SessionCookie: Domain: ".domain.com" MaxAge: 86400 RefreshToken: Enabled: true ``` However when I check OIDC Data Preview in Pocket ID webui I see that **exp**-**iat** time is just 1h both for ID Token and Access Token. Access Token example: <img width="770" height="201" alt="Image" src="https://github.com/user-attachments/assets/d693a20e-0b9c-4c73-b245-14962ea58bd7" /> Overall, it works just fine. It covers my apps with OIDC auth flow. However when I work with n8n or grafana - I usually do that for more than 1h. And at the moment of re-auth my apps stops responding or dropping some artifacts, so I have to open id.domain.com on in another tab to preserve the progress in my actions. ### Expected behavior SESSION_DURATION should change according to the setting ### Actual Behavior Consistent 1h session regardless of configs ### Version and Environment Stack: Everything is in docker - traefik (3.5) - OIDC Plugin (v0.13.0 by Sevensolutions) - enabled in traefik config with CLI commands - pocket-id (1.6.4) - some other software to cover with oidc auth (grafana, n8n, anything) OS: Debian 12 (LXC Container) / x86_64 ### Log Output 2025-07-27T17:55:20+03:00 ::1 - 400 - id.domain.com POST - /api/oidc/token Go-http-client/1.1 in my access.log (filtered)
OVERLORD added the needs more upvotes label 2025-10-07 23:53:16 +03:00
OVERLORD commented 2025-10-07 23:53:19 +03:00
Author
Owner
Copy Link

@savely-krasovsky commented on GitHub:

@stonith404 the Traefik feature you are showing is only available in Traefik Enterprise, 99% of self-hosters use community Traefik Proxy.

I believe it still should be configurable on per-client basis. A lot of apps doesn't support refresh tokens and cannot prolong session and some of them use access token directly without exchanging it with some sort of cookie (or even if they does, they sometime look at access token "ext" claim and set the same cookie lifetime). Locking it deliberately to 1h seems unreasonable to me.

@savely-krasovsky commented on GitHub: @stonith404 the Traefik feature you are showing is only available in Traefik Enterprise, 99% of self-hosters use community Traefik Proxy. I believe it still should be configurable on per-client basis. A lot of apps doesn't support refresh tokens and cannot prolong session and some of them use access token directly without exchanging it with some sort of cookie (or even if they does, they sometime look at access token "ext" claim and set the same cookie lifetime). Locking it deliberately to 1h seems unreasonable to me.
OVERLORD commented 2025-10-07 23:53:19 +03:00
Author
Owner
Copy Link

@savely-krasovsky commented on GitHub:

After inspecting code it seems like session duration only affects duration of session in Pocket-ID itself. Access/Refresh/ID tokens lifetime is hardcoded and currently cannot be customized. To fix it it's better to make it configurable per-client.

@savely-krasovsky commented on GitHub: After inspecting code it seems like session duration only affects duration of session in Pocket-ID itself. Access/Refresh/ID tokens lifetime is hardcoded and currently cannot be customized. To fix it it's better to make it configurable per-client.
OVERLORD commented 2025-10-07 23:53:19 +03:00
Author
Owner
Copy Link

@BizkitCake commented on GitHub:

@kmendell is there some other way to increase the duration of oidc clients token lifetime?

@BizkitCake commented on GitHub: @kmendell is there some other way to increase the duration of oidc clients token lifetime?
OVERLORD commented 2025-10-07 23:53:20 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

Im chnaging this to a feature request as it doesnt seem to be a bug.

@kmendell commented on GitHub: Im chnaging this to a feature request as it doesnt seem to be a bug.
OVERLORD commented 2025-10-07 23:53:20 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

The "Session Duration" configuration is only for the session duration of Pocket ID, not for the clients, so that's expected.

OIDC clients usually don't rely on the session duration of the access token because they only use the access token once when the user signs in to retrieve its data. Are you sure that you don't have to configure this on the client side like in your case it should be configurable with the Traefik middleware.

That said, if the client relies on the access token for the session duration it should use the refresh token provided by Pocket ID, which expires after 30 days, to renew the access token.

@stonith404 commented on GitHub: The "Session Duration" configuration is only for the session duration of Pocket ID, not for the clients, so that's expected. OIDC clients usually don't rely on the session duration of the access token because they only use the access token once when the user signs in to retrieve its data. Are you sure that you don't have to configure this on the client side like in your case it [should be configurable ](https://doc.traefik.io/traefik-enterprise/middlewares/oidc/#sessionexpiry) with the Traefik middleware. That said, if the client relies on the access token for the session duration it should use the refresh token provided by Pocket ID, which expires after 30 days, to renew the access token.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label needs more upvotes
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#104
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?