Add automatic extension of session expiry

[kamilkloch]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

Automatic session extension on every successful user request is arguably a standard and widely practiced approach.
This feature is missing in kratos.
Currently, the only way to extend a user session involves interacting with the kratos admin api. This defeats the purpose of making the downstream services oblivious to the kratos layer (as the downstream service possibly needs to interact with kratos admin as a reaction to the received webhook authenticated request).

Describe your ideal solution

Add configuration optin for the automatic extension of session expiry.

Workarounds or alternatives

Webhook from kratos on successful authentication, POST to kratos admin from the downstream services as a reaction to the hook authenticated request.

Version

0.13.0

[kmherrmann]

Webhook from kratos on successful authentication

actually, that would only work to customize the lifetime after login, right?
One challenge here is that to automatically extend sessions, we would probably have to do extend based on /whoami calls. This would downgrade performance for a latency-optimized endpoint that currently doesn't do writes; and it wouldn't work in all cases, depending how the applications use /whoami.

That's why we leave it to the application to decide on when to extend sessions.

[kmherrmann]

also see here: #615

[kamilkloch]

@kmherrmann Thanks for the response. I updated the issue (removed confusion around the webhook).

One challenge here is that to automatically extend sessions, we would probably have to do extend based on /whoami calls. This would downgrade performance for a latency-optimized endpoint that currently doesn't do writes; and it wouldn't work in all cases, depending how the applications use /whoami.

Session need not be extended on every /whoami call - it would suffice to track the timestamp of the most recent successful /whoami and prolong the session, say at most once a minute. Negligible performance penalty. This is how we intend to solve it on our side, hovewer, it would be nice if kratos supported it out of the box :)

[github-actions]

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas on how you could contribute towards resolving it;
• leave a comment and describe in detail why this issue is critical for your use case;
• open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️