starred/pocket-id-pocket-id-1
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-09 23:02:59 +03:00
Code Issues 122 Packages Projects Releases 10 Wiki Activity

🚀 Feature: multiple session durations #109

New Issue
Open
opened 2025-10-07 23:53:27 +03:00 by OVERLORD · 5 comments
OVERLORD commented 2025-10-07 23:53:27 +03:00
Owner
Copy Link

Originally created by @Tone866 on GitHub.

Feature description

I would like to see a „remember me“ option, so you can set 2 different session durations.
One short and one long.

Pitch

I would use a remember me option for my personal devices and would uncheck it on everything else, so even if I forget to logoff, it‘s at least not that long logged in anyway.

Originally created by @Tone866 on GitHub. ### Feature description I would like to see a „remember me“ option, so you can set 2 different session durations. One short and one long. ### Pitch I would use a remember me option for my personal devices and would uncheck it on everything else, so even if I forget to logoff, it‘s at least not that long logged in anyway.
OVERLORD added the needs more upvotes label 2025-10-07 23:53:27 +03:00
OVERLORD commented 2025-10-07 23:53:28 +03:00
Author
Owner
Copy Link

@Tone866 commented on GitHub:

OIDC clients usually don't rely on the session duration of the access token because they only use the access token once when the user signs in to retrieve its data.

I'm using mod_auth_openidc and to me it looks like I could do this, when I set the SessionMaxDuration to 0:

When set to 0, the session duration will be set equal to the expiry time of the ID token.

@Tone866 commented on GitHub: >OIDC clients usually don't rely on the session duration of the access token because they only use the access token once when the user signs in to retrieve its data. I'm using [mod_auth_openidc](https://github.com/OpenIDC/mod_auth_openidc/tree/master) and to me it looks like I could do this, when I set the SessionMaxDuration to 0: >When set to 0, the session duration will be set equal to the expiry time of the ID token.
OVERLORD commented 2025-10-07 23:53:29 +03:00
Author
Owner
Copy Link

@Tone866 commented on GitHub:

I've removed the second part of the feature request because an OIDC provider (like Pocket ID) can't define the session duration of its clients.

Really? With clients I mean the OIDC-Clients, not enduser clients like smartphones.
So if I would create two different OIDC-Clients in Pocket-ID, say secure.example.com and lesssecure.example.com, it‘s not possible to create custom session times on base from which url the request is coming from?

@Tone866 commented on GitHub: > I've removed the second part of the feature request because an OIDC provider (like Pocket ID) can't define the session duration of its clients. Really? With clients I mean the OIDC-Clients, not enduser clients like smartphones. So if I would create two different OIDC-Clients in Pocket-ID, say secure.example.com and lesssecure.example.com, it‘s not possible to create custom session times on base from which url the request is coming from?
OVERLORD commented 2025-10-07 23:53:29 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Sorry for my late response. Yes, please see my comment (https://github.com/pocket-id/pocket-id/issues/792#issuecomment-3164845967) in another issue.

@stonith404 commented on GitHub: Sorry for my late response. Yes, please see my comment (https://github.com/pocket-id/pocket-id/issues/792#issuecomment-3164845967) in another issue.
OVERLORD commented 2025-10-07 23:53:29 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

In my opinion this option should get removed by mod_auth_openidc because the OIDC spec defines that ID tokens shouldn't be used to define the session duration.

NOTE: The ID Token expiration time is unrelated the lifetime of the authenticated session between the RP and the OP.

@stonith404 commented on GitHub: In my opinion this option should get removed by mod_auth_openidc because the [OIDC spec defines](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) that ID tokens shouldn't be used to define the session duration. > NOTE: The ID Token expiration time is unrelated the lifetime of the authenticated session between the RP and the OP.
OVERLORD commented 2025-10-07 23:53:30 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Thanks for the suggestion. I've removed the second part of the feature request because an OIDC provider (like Pocket ID) can't define the session duration of its clients.

@stonith404 commented on GitHub: Thanks for the suggestion. I've removed the second part of the feature request because an OIDC provider (like Pocket ID) can't define the session duration of its clients.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label needs more upvotes
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#109
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?