Wikia · mmeller-wikia · Jan 19, 2022 · Dec 29, 2021 · Dec 29, 2021 · Dec 29, 2021
diff --git a/driver/config/config.go b/driver/config/config.go
@@ -95,6 +95,8 @@ const (
 	ViperKeySessionPath                                      = "session.cookie.path"
 	ViperKeySessionPersistentCookie                          = "session.cookie.persistent"
 	ViperKeySessionWhoAmIAAL                                 = "session.whoami.required_aal"
+	ViperKeySessionWhoAmIRefresh                             = "session.whoami.refresh"
+	ViperKeySessionRefreshTimeWindow                         = "session.refresh_time_window"
 	ViperKeyCookieSameSite                                   = "cookies.same_site"
 	ViperKeyCookieDomain                                     = "cookies.domain"
 	ViperKeyCookiePath                                       = "cookies.path"
@@ -1029,6 +1031,14 @@ func (p *Config) SessionWhoAmIAAL() string {
 	return p.p.String(ViperKeySessionWhoAmIAAL)
 }
 
+func (p *Config) SessionWhoAmIRefresh() bool {
+	return p.p.Bool(ViperKeySessionWhoAmIRefresh)
+}
+
+func (p *Config) SessionRefreshTimeWindow() time.Duration {
+	return p.p.DurationF(ViperKeySessionRefreshTimeWindow, p.SessionLifespan())
+}
+
 func (p *Config) SelfServiceSettingsRequiredAAL() string {
 	return p.p.String(ViperKeySelfServiceSettingsRequiredAAL)
 }

diff --git a/embedx/config.schema.json b/embedx/config.schema.json
@@ -2115,6 +2115,12 @@
           "properties": {
             "required_aal": {
               "$ref": "#/definitions/featureRequiredAal"
+            },
+            "refresh": {
+              "title": "Allow session refresh from whoami endpoint",
+              "description": "If set to true will allow to refresh session lifespan if ?refresh=true is present",
+              "type": "boolean",
+              "default": false
             }
           },
           "additionalProperties": false
@@ -2168,6 +2174,18 @@
             }
           },
           "additionalProperties": false
+        },
+        "refresh_time_window": {
+          "title": "Session refresh time window",
+          "description": "Time window when session can be refreshed to avoid excess refreshes. It is calculated as duration from the session expiration time.",
+          "type": "string",
+          "pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
+          "default": "24h",
+          "examples": [
+            "1h",
+            "1m",
+            "1s"
+          ]
         }
       }
     },

diff --git a/internal/httpclient/.openapi-generator/FILES b/internal/httpclient/.openapi-generator/FILES
@@ -3,6 +3,7 @@
 .travis.yml
 README.md
 api/openapi.yaml
+api_default.go
 api_metadata.go
 api_v0alpha2.go
 client.go
@@ -11,6 +12,7 @@ docs/AdminCreateIdentityBody.md
 docs/AdminCreateSelfServiceRecoveryLinkBody.md
 docs/AdminUpdateIdentityBody.md
 docs/AuthenticatorAssuranceLevel.md
+docs/DefaultApi.md
 docs/ErrorAuthenticatorAssuranceLevelNotSatisfied.md
 docs/GenericError.md
 docs/HealthNotReadyStatus.md

diff --git a/internal/httpclient/README.md b/internal/httpclient/README.md
@@ -83,6 +83,7 @@ All URIs are relative to *http://localhost*
 
 Class | Method | HTTP request | Description
 ------------ | ------------- | ------------- | -------------
+*DefaultApi* | [**V0alpha2**](docs/DefaultApi.md#v0alpha2) | **Get** /sessions/refresh | Calling this endpoint refreshes a current user session. If &#x60;session.refresh_time_window&#x60; is set it will only refresh the session after this time has passed.
 *MetadataApi* | [**GetVersion**](docs/MetadataApi.md#getversion) | **Get** /version | Return Running Software Version.
 *MetadataApi* | [**IsAlive**](docs/MetadataApi.md#isalive) | **Get** /health/alive | Check HTTP Server Status
 *MetadataApi* | [**IsReady**](docs/MetadataApi.md#isready) | **Get** /health/ready | Check HTTP Server and Database Status
@@ -93,6 +94,7 @@ Class | Method | HTTP request | Description
 *V0alpha2Api* | [**AdminGetIdentity**](docs/V0alpha2Api.md#admingetidentity) | **Get** /identities/{id} | Get an Identity
 *V0alpha2Api* | [**AdminIdentitySession**](docs/V0alpha2Api.md#adminidentitysession) | **Get** /identities/{id}/session | Calling this endpoint issues a session for a given identity.
 *V0alpha2Api* | [**AdminListIdentities**](docs/V0alpha2Api.md#adminlistidentities) | **Get** /identities | List Identities
+*V0alpha2Api* | [**AdminSessionRefresh**](docs/V0alpha2Api.md#adminsessionrefresh) | **Patch** /sessions/refresh/{id} | Calling this endpoint refreshes a given session. If &#x60;session.refresh_time_window&#x60; is set it will only refresh the session after this time has passed.
 *V0alpha2Api* | [**AdminUpdateCredentials**](docs/V0alpha2Api.md#adminupdatecredentials) | **Put** /identities/{id}/credentials | Update Identity Credentials
 *V0alpha2Api* | [**AdminUpdateIdentity**](docs/V0alpha2Api.md#adminupdateidentity) | **Put** /identities/{id} | Update an Identity
 *V0alpha2Api* | [**CreateSelfServiceLogoutFlowUrlForBrowsers**](docs/V0alpha2Api.md#createselfservicelogoutflowurlforbrowsers) | **Get** /self-service/logout/browser | Create a Logout URL for Browsers

diff --git a/internal/httpclient/api/openapi.yaml b/internal/httpclient/api/openapi.yaml
@@ -2227,13 +2227,92 @@ paths:
       summary: Get Verification Flow
       tags:
       - v0alpha2
+  /sessions/refresh:
+    get:
+      description: |-
+        This endpoint is useful for:
+
+        Session refresh
+      operationId: v0alpha2
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/successfulAdminIdentitySession'
+          description: successfulAdminIdentitySession
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/jsonError'
+          description: jsonError
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/jsonError'
+          description: jsonError
+      security:
+      - oryAccessToken: []
+      summary: |-
+        Calling this endpoint refreshes a current user session.
+        If `session.refresh_time_window` is set it will only refresh the session after this time has passed.
-        If `session.refresh_time_window` is set it will only refresh the session after this time has passed.
+        If `session.refresh_min_time_left` is set it will only refresh the session after this time has passed.
-        If `session.refresh_time_window` is set it will only refresh the session after this time has passed.
+        If `session.refresh_min_time_left` is set it will only refresh the session after this time has passed.
+  /sessions/refresh/{id}:
+    patch:
+      description: |-
+        This endpoint is useful for:
+
+        Session refresh
+      operationId: adminSessionRefresh
+      parameters:
+      - description: ID is the session's ID.
+        explode: false
+        in: path
+        name: id
+        required: true
+        schema:
+          type: string
+        style: simple
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/session'
+          description: session
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/jsonError'
+          description: jsonError
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/jsonError'
+          description: jsonError
+      security:
+      - oryAccessToken: []
+      summary: |-
+        Calling this endpoint refreshes a given session.
+        If `session.refresh_time_window` is set it will only refresh the session after this time has passed.
+      tags:
+      - v0alpha2
   /sessions/whoami:
     get:
       description: |-
         Uses the HTTP Headers in the GET request to determine (e.g. by using checking the cookies) who is authenticated.
         Returns a session object in the body or 401 if the credentials are invalid or no credentials were sent.
         Additionally when the request it successful it adds the user ID to the 'X-Kratos-Authenticated-Identity-Id' header in the response.
 
+        It is also possible to refresh the session lifespan of a current session by adding a `refresh=true` param to the request url.
+        By default session refresh on this endpoint is disabled.
+        Session refresh can be enabled only after setting `session.whoami.refresh` to true in the config.
+        After enabling this option any refresh request will set the session life equal to `session.lifespan`.
+        If you want to refresh the session only some time before session expiration you can set a proper value for `session.refresh_time_window`
+
         If you call this endpoint from a server-side application, you must forward the HTTP Cookie Header to this endpoint:
 
         ```js
@@ -2265,6 +2344,7 @@ paths:
         AJAX calls. Remember to send credentials and set up CORS correctly!
         Reverse proxies and API Gateways
         Server-side calls - use the `X-Session-Token` header!
+        Session refresh
 
         This endpoint authenticates users by checking
 

diff --git a/internal/httpclient/api_default.go b/internal/httpclient/api_default.go