Question
Deutsche Telekom Services Europe SE (DTSE)
DE
Last activity: 24 Jan 2025 4:50 EST
Token refresh / Session Timeout when using Token Credential authentication service
Hello together.
Introduction to the use case:
1. A third party app is launching our Pega platform in a temporary created webview containers (like a browser) in the app.
2. The user is identified in the app (when accessing the app) against our company IdP Microsoft Entra ID and the app can only hold the tokens (ID, Access, Refresh) received from EntraId. The cookies which EntraID / Microsoft would set in a browser in the normal OIDC flow are not available in the app anymore, after the user is identified.
3. To authenticate the user when the platform is accessed in the app (webview container), we are using the Mcirosoft On-Behalf-Of flow, what means that the app is getting an access token (for our Pega platform) from EntraID which is then send with the Pega URL in the authorization header. An authentication service based on token credentials is then taking care in the Pega platform about the authentication and Pega session setup.
4. The logout redirect URL is set to same which we use for direct login in Pega Platform (via normal browser)... the EntraID / Microsoft OIDC logout endpoint. The redirect authentication service which is used when token validation fails during Pega access is pointing to same which we use for direct login in Pega Platform (via normal browser)... the EntraID / Microsoft OIDC
Problem:
Hello together.
Introduction to the use case:
1. A third party app is launching our Pega platform in a temporary created webview containers (like a browser) in the app.
2. The user is identified in the app (when accessing the app) against our company IdP Microsoft Entra ID and the app can only hold the tokens (ID, Access, Refresh) received from EntraId. The cookies which EntraID / Microsoft would set in a browser in the normal OIDC flow are not available in the app anymore, after the user is identified.
3. To authenticate the user when the platform is accessed in the app (webview container), we are using the Mcirosoft On-Behalf-Of flow, what means that the app is getting an access token (for our Pega platform) from EntraID which is then send with the Pega URL in the authorization header. An authentication service based on token credentials is then taking care in the Pega platform about the authentication and Pega session setup.
4. The logout redirect URL is set to same which we use for direct login in Pega Platform (via normal browser)... the EntraID / Microsoft OIDC logout endpoint. The redirect authentication service which is used when token validation fails during Pega access is pointing to same which we use for direct login in Pega Platform (via normal browser)... the EntraID / Microsoft OIDC
Problem:
The complete authentication works without problems. Where we are currently struggeling with this setup is the session timeout. This is controlled from 2 points.
1. Expiry timestamp in the access token which is processed from our authentication service
2. Access group time out, if this is configured to be recognized on the authentication service rule
Current behavior:
At the moment the user is always redirected to the logout redirect URL when the expiry timestamp of the access token is reached.
If the access group timeout is configured in a way that it happens before expiry timestamp of the access token is reached, there are 2 behaviors found during testing.
A) If the authorization header is consequently added to each request to the server, the session is kept. Means the session is timing out, but this is seems to trigger the token authentication service again and as the token exist in header and it is still valid, the user is not redirected to the logout URL.
B) If the authorization header is only provided with the URL when accessing the platform and then removed for the further requests, then the user is redirected to the logout URL when the session time out on access group is reached.
Question:
Is there any possibility to influence the behavior to not go to the logout redirect URL when the access token is expired or the session timeout defined on the access group becomes forced?
I would like to implement a solution to reach out to a URL instead which is then redirecting to Pega platform with a new / refreshed access token and by this the session in Pega will keep alive for the user.
Thanks & regards, Matthias