Session handling

Session handling in the OpenID Connect Provider from BankID builds on Keycloak session handling.

Warning

Single sign-on is not supported.

Session lifetime

During a regular BankID authentication the session is active for 10 minutes.

After authentication is finished, a set of tokens is issued and returned to the requesting OIDC client. The lifetimes of the ID- and Access Tokens are synchronized to a value of 300 seconds.

At token expiry, the session is considered inactive until the corresponding Refresh Token is also expired. The session can however be refreshed within this interval, effectively prolonging the session with the OIDC Provider.

Note that session refresh happens silently without any interaction with the end-user. Renewed authentication will happen only when the OIDC client makes a new authorize request, regardless of any existing session. The only exception is if the [id_login_hint](/bankid-oidc-provider/api/authorize) option is used in the authorize request and there is already an existing session in its active state (ie. a valid ID Token).

In this case a new session is started without any end user authentication. Note however that consent handling is still performed in this case. The end user may be asked for consent if the set of requested scopes is wider than the scopes associated with ID Token used in the request.

Note also that expire_in in the response from the token endpoint is always synchronized with the exp value that is contained inside the ID Token and Access Tokens, respectively. This is in contrast to refresh_expires_in contained in the same response. This value is _not _synchronized with the exp value inside the Refresh Token. The latter value corresponds to the exp value of the ID Token and Access Token, whereas the former defines the forward refresh window and hence the session lifetime.