feat: support upstream IdP session_expiry ceiling (IPSIE SL1)#139
Merged
Conversation
Bumps auth0-server-python to >=1.0.0b12, the release that adds session_expiry enforcement. The wrapper delegates to the core SDK, so the ceiling is read at login, enforced on session reads, and preserved across refreshes with no wrapper-side handling. Adds examples/Sessions.md and cross-links it from the README.
nandan-bhat
approved these changes
Jul 7, 2026
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📋 Changes
This PR wires up support for the IPSIE SL1
session_expiryclaim in auth0-fastapi — an absolute Unix-epoch ceiling an upstream IdP can assert on how long an Auth0 app session may live. The enforcement lives entirely in auth0-server-python; auth0-fastapi delegates to it through the methods it already calls, so bumping the core dependency is what turns the behavior on. The claim round-trips through the encrypted session cookie without any wrapper-side handling.✨ Features
get_session()/get_user()returnNoneand clear the session cookie, sorequire_sessionand the existing redirect-to-login path re-authenticate transparently.get_access_token()raisesSessionExpiredErrorwithout attempting a refresh. A 30s negative clock-skew leeway is applied./auth/callbackand stamped on the session; a login whose ceiling is already in the past is rejected rather than persisted.🔧 Dependencies
auth0-server-pythonto>=1.0.0b12, the release that addssession_expiryenforcement.📖 Documentation
examples/Sessions.md("Session expiry from upstream IdP") covering the connection-option prerequisite, how the ceiling behaves in auth0-fastapi, reading the value, and the upgrade null-check note.README.mdwith a feature entry and a session-expiry section.🧪 Testing
Contributor Checklist