Skip to main content

Token-renewed Sessions

Once the End User is authenticated to the Impact Finance Web App, the authenticated session must be

  1. kept alive as long as the End User is actively using the app, and
  2. (optionally) closed after a period of inactivity.

This document describes how to achieve these two tasks with "token-renewed sessions".

Keep-alive

On authentication, the session gets an expiration timestamp.

NOTE: "Token-renewed sessions" is currently only usable together with the OpenID Connect ID Token authentication mechanism. In this case, the session expiration timestamp is set to be the same as the IDToken's exp claim, making sure that the session is not valid for longer than the ID token itself.

With 30 seconds margin before this expiration time, the Web App notifies your Bank App that that token expiration is about to happen by sending an onIdTokenDidExpire event. In order to keep the session alive, the Bank App must now generate a new ID Token and hand back to the Web App with the updateToken event to renew the session. If a new valid ID token is not handed back to the Web App in time, the End User will be logged out and the Web App will request to be closed down by sending an onExitRequested event.

Signing Out on Inactivity

To provide a fail-safe mechanism to detect inactivity, the Impact Finance Web App does not track absence of activity itself. Instead, it relies on sending positive indications of activity to your Bank App through TelemetryEvents. As long as your Bank App receives these events, the End User can be considered to be actively using the Web App. Conversely, the absence of such events is indicating inactivity. This makes sure that inactivity can be detected even in the case of communication failure between the Web App and the embedding application.

We assume that your Bank App already has measures and functionality in place to handle inactivity (e.g. asking the user "Are you there?") and leave it up to you to jack in to this functionality for a seamless and coherent user experience.

NOTE: The TokenDidExpire event is not an indicator of activity from the End User. If the ID Token expiration time is shorter than the inactivity time limit, the inactivity timer must not be reset on token renewal to prevent the session from being extended indefinitely.