When a user logs in via some SSO, the SSO will typically return a expires_in property.
When implementing an idprovider I want to respect that property, so that your login to Enonic XP will expire when your SSO login expires.
Having an expiresIn parameter to login, could be a good place to support it.
One should also consider that some SSO’s will update the expires_in property, for example when using oauth2.0 refresh tokens.
To support that perhaps there could be a refresh method in the idprovider which is called on every request that requires a user to be logged in. Sorta like a filter.
In the mean time I think the best way I can achieve this would be to make a filter. That would however mean that the idprovider app must be added to every site it is used on, not simply the userstore it is used in.
Another idea was to use the task API, but it currently (Enonic XP 6.9.2) does not support delayed execution.