When a user logs in via some SSO, the SSO will typically return a expires_in property.
When implementing an idprovider I want to respect that property, so that your login to Enonic XP will expire when your SSO login expires.
Having an expiresIn parameter to login, could be a good place to support it.
One should also consider that some SSO’s will update the expires_in property, for example when using oauth2.0 refresh tokens.
To support that perhaps there could be a refresh method in the idprovider which is called on every request that requires a user to be logged in. Sorta like a filter.
–
In the mean time I think the best way I can achieve this would be to make a filter. That would however mean that the idprovider app must be added to every site it is used on, not simply the userstore it is used in.
–
Another idea was to use the task API, but it currently (Enonic XP 6.9.2) does not support delayed execution.