apache: Increase OpenID Connect RP session timeout activity

Tests: - Without patch, open FeatherWiki wiki and save after 5 minutes. Save fails. - Apply the patch, Apache app setup is run and mod_auth_openidc configuration is updated. Open FeatherWiki wiki and save after 5 minutes. Save works, wiki contents are saved. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
2026-03-25 09:21:10 +00:00 · 2026-03-18 12:35:42 -07:00 · 2026-03-18 12:35:42 -07:00 · 9169ef89d9
commit 9169ef89d9
parent c66e78c203
2 changed files with 32 additions and 1 deletions
--- a/plinth/modules/apache/init.py
+++ b/plinth/modules/apache/init.py
@ -86,7 +86,7 @@ class ApacheApp(app_module.App):

    app_id = 'apache'

-    _version = 16
+    _version = 17

    def __init__(self) -> None:
        """Create components for the app."""
--- a/plinth/modules/apache/privileged.py
+++ b/plinth/modules/apache/privileged.py
@ -237,6 +237,30 @@ def _setup_oidc_config():

    Keep the metadata directory and configuration file unreadable by non-admin
    users since they contain module's crypto secret and OIDC client secret.
+
+    # Session management
+
+    When apps like Syncthing are protected with mod_auth_openidc, there a
+    session maintained using server-side session storage and a cookie on the
+    client side. This session is different from the session managed by the
+    OpenID Connect Provider (FreedomBox web interface). As long as this session
+    is valid, no further authentication mechanisms are triggered.
+
+    When the session expires, if the request is a GET request (due to page
+    reload), the browser is redirected to OP, a fresh token is created, and the
+    page is loaded. However, for POST requests, 401 error is returned and if
+    the application is unaware, it won't do much about it. So, this
+    necessitates keeping the session timeout value high.
+
+    When logout is performed on FreedomBox web interface, mod_auth_openidc
+    cookie is also removed and logout feels instantaneous. However, this won't
+    work for applications not using mod_auth_openidc and for applications
+    hosted on other domains. A better way to do this is to implement OpenID
+    Connect's Back-Channel Logout or using OpenID Connect Session Management.
+
+    For more about session management see:
+    https://github.com/OpenIDC/mod_auth_openidc/wiki/Sessions-and-Timeouts and
+    https://github.com/OpenIDC/mod_auth_openidc/wiki/Session-Management-Settings
    """
    metadata_dir_path.parent.mkdir(mode=0o700, parents=True, exist_ok=True)
    metadata_dir_path.mkdir(mode=0o700, exist_ok=True)
@ -259,6 +283,13 @@ def _setup_oidc_config():
    OIDCSSLValidateServer Off
    OIDCProviderMetadataRefreshInterval 86400

+    # Expire the mod_auth_openidc session (not the OpenID Conneect Provider
+    # session) after 10 hours of idle with a maximum session duration equal to
+    # the expiry time of the ID token (10 hours). This allows applications such
+    # as FeatherWiki to have long editing sessions before save.
+    OIDCSessionInactivityTimeout 36000
+    OIDCSessionMaxDuration 0
+
    # Use relative URL to return to the original domain
    OIDCRedirectURI /apache/oidc/callback
    OIDCRemoteUserClaim sub