Silent authentication on session expiration with oAuth2 plugin

A typical paradigm when using an oAuth2 authentication provider for SSO is to set a short-ish (8-12 hour) session expiration timeout and then silently authentication the user if their oAuth2 session is still active. In my case I am using Auth0 and this is their documentation about this feature, which is based on the OpenId protocol: Configure Silent Authentication.

I recently changed the session timeout on my Discourse instance with the expectation that the user would be silently authenticated if they still had an active Auth0 session but it turns out that this causes the end user to receive a login prompt even though they still have an active Auth0 session. This seems like an oversight in Discourse’s implementation of the oAuth2 plugin.

2 Likes