Skip to content

feat: support upstream IdP session_expiry ceiling (IPSIE SL1)#139

Merged
nandan-bhat merged 1 commit into
mainfrom
feat/ipsie-support
Jul 7, 2026
Merged

feat: support upstream IdP session_expiry ceiling (IPSIE SL1)#139
nandan-bhat merged 1 commit into
mainfrom
feat/ipsie-support

Conversation

@kishore7snehil

Copy link
Copy Markdown
Contributor

📋 Changes

This PR wires up support for the IPSIE SL1 session_expiry claim in auth0-fastapi — an absolute Unix-epoch ceiling an upstream IdP can assert on how long an Auth0 app session may live. The enforcement lives entirely in auth0-server-python; auth0-fastapi delegates to it through the methods it already calls, so bumping the core dependency is what turns the behavior on. The claim round-trips through the encrypted session cookie without any wrapper-side handling.

✨ Features

  • Read-time enforcement (inherited): once the ceiling is reached, get_session() / get_user() return None and clear the session cookie, so require_session and the existing redirect-to-login path re-authenticate transparently. get_access_token() raises SessionExpiredError without attempting a refresh. A 30s negative clock-skew leeway is applied.
  • Login-time handling (inherited): the ceiling is read from the ID token at /auth/callback and stamped on the session; a login whose ceiling is already in the past is rejected rather than persisted.
  • Refresh preservation (inherited): the ceiling stamped at login is preserved across refresh-token grants.

🔧 Dependencies

  • Bumps auth0-server-python to >=1.0.0b12, the release that adds session_expiry enforcement.

📖 Documentation

  • Adds examples/Sessions.md ("Session expiry from upstream IdP") covering the connection-option prerequisite, how the ceiling behaves in auth0-fastapi, reading the value, and the upgrade null-check note.
  • Cross-links it from README.md with a feature entry and a session-expiry section.

🧪 Testing

  • This change adds test coverage
  • This change has been tested on the latest version of the platform/language

Contributor Checklist

Bumps auth0-server-python to >=1.0.0b12, the release that adds
session_expiry enforcement. The wrapper delegates to the core SDK, so
the ceiling is read at login, enforced on session reads, and preserved
across refreshes with no wrapper-side handling. Adds examples/Sessions.md
and cross-links it from the README.
@kishore7snehil
kishore7snehil requested a review from a team as a code owner July 7, 2026 09:11
@nandan-bhat
nandan-bhat merged commit 516bf48 into main Jul 7, 2026
9 checks passed
@kishore7snehil kishore7snehil mentioned this pull request Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants