FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    SSO Session expiration time

    Scheduled Pinned Locked Moved
    General Discussion
    0
    4
    1.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ivor.didovic.88
      last edited by ivor.didovic.88

      Hi,

      I've started using FusionAuth for handling SSO in my application but looks like my SSO session is dropped after some short time ~1h, but Session timeout for the tenant is set to 10 days and Refresh Token duration is set to 30 days.
      When I login to one of the applications from "MyTenant" I can see refresh token for the "MyApplication" application and one additional refresh token for application "Single sign-on". After ~1h of browser inactivity, this token disappears.

      Any idea what am I missing here?

      Thank you!

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        Hiya!

        Are you overriding any of the tenant settings in the application?

        Applications > Your application > Edit > JWT > Refresh Token duration might override the tenant settings.

        If that isn't the case, can you share what version of FusionAuth you are running?

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • I
          ivor.didovic.88
          last edited by

          Hi @dan,

          Thank you for your answer.

          FusionAuth version is 1.23.3.
          This is my configuration:

          • Default tenant:
            • Session timeout: 31536000s
            • JWT duration: 3600s
            • Refresh Token duration: 43200min
            • FusionAuth app:
              • JWT duration: 60s
              • Refresh Token duration: 60min
          • MyTenant:
            • Session timeout: 31536000s
            • JWT duration: 60s
            • Refresh Token duration: 43200min
            • App1:
              • No specific JWT configuration
            • App2:
              • No Specific JWT configuration
            • App3:
              • JWT Duration: 3600s
              • Refresh Token duration: 525600min

          Can you explain to me what all does affect the SSO session duration?
          I thought I just need to set Session timeout of the "MyTenant" tenant and that will keep my SSO session for applications from that tenant until "Single sign-on" refresh token expires (and, of course, if I renew "App specific refresh token"). As I can see, Session timeout defines expiration time of the "Single sign-on" refresh token (User > Sessions) but looks like in my case "Single sign-on" refresh token is deleted after 1h (but its expiration time is 365days). So...

          • I login to App1 ==> App1 refresh token is created and "Single sign-on" refresh token is created
          • I go to App2 (I'm already logged in) ==> App2 refresh token is created
          • After ~1h, "Single sign-on" refresh token is deleted, App1 and App2 refresh tokens are still there and I can use them to fetch new access tokens until until they expire
          1 Reply Last reply Reply Quote 0
          • danD
            dan
            last edited by

            So I just finished writing up an SSO document (not yet published, in review) and SSO and refresh tokens are orthogonal. Refresh tokens are used when you have a client who wants to get a new JWT, and SSO is used to transparently log a user in when you are using the hosted login pages.

            So I wouldn't worry about the refresh token appearing or disappearing.

            ... handling SSO in my application but looks like my SSO session is dropped after some short time ~1h, but Session timeout for the tenant is set to 10 days

            What does the fusionauth.sso cookie have for the maxage/expires value?

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            1 Reply Last reply Reply Quote 0
            • First post
              Last post