I’m using the OAuth2 plugin on my hosted site, so my co-workers can log in with Box. The main goal is to avoid having yet another credential to manage. Part of that is a requirement that if someone leaves and we deactivate their Box account, we don’t want them to be able to access our Discourse site…

The cookie having Expires: Session will re-auth on the SSO endpoint every time the browser is closed and reopened*. I think this will sort it. * Except sneaky chrome

@Falco thanks for the quick reply! I’m not sure that applies in my case, as I’m not sure I’m using SSO? I’m using OAuth2. They’re different, right? Even if I am using SSO, lots of folks use Chrome so unfortunately relying on that mechanism wouldn’t suffice.

The mechanism will work independently of authentication method. Just said SSO to illustrate my use case.

Ah, OK, thanks for clarifying! So is that header sent by default in all configurations? Or do I need to do something to turn it on? And… is there anything I can do about Chrome?

It isn’t possible atm. I’m looking to create the setting sometime in the next month. And Chrome keeps the app running on the background on desktop, but nothing we can do about it. Except using a fixed time (like 30 minutes) but that’s bad for other reasons.

Ah, I see — thanks for clarifying! An alternative approach that should work on all browsers and might be less annoying for users would be to keep track of the last time a user logged in, and on every page access compute how long ago that was, and if it’s greater than N {days,hours}, then force them…

If what you want is for people that you have deactivated to be, well, deactivated, you could deactivate their Discourse account or force browser refresh via the API. It probably wouldn’t be that hard to add such a call to your deactivation script at Box.

Thanks, but we’re not using a script. We’re manually deactivating the users when they leave the company. My hope is that we can set things up such that we wouldn’t have to do anything else; simply by dint of the Box account being deactivated, a user would lose their access to Discourse shortly there…

Force OAuth2 re-authentication after N days?

支持

aviflax (Avi Flax) 2016 年5 月 11 日 16:43 2

Seems somewhat related to this thread: Session Timeout.

话题		回复	浏览量
Silent authentication on session expiration with oAuth2 plugin SSO oauth2	0	1096	2023 年1 月 30 日
Session Timeout Data & reporting	66	9971	2025 年1 月 4 日
SSO credentials validity / forced logout WordPress	19	2360	2019 年11 月 27 日
Discourse members being logged out - how to fix? Support	11	1720	2020 年5 月 25 日
Is there a way to set session expiration after a set length of time? Feature	24	7824	2025 年12 月 4 日

Force OAuth2 re-authentication after N days?

相关话题