Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi there, is it possible to solve this issue with hydra in any way?

Given these domains: <http://a.com|a.com>, <http://b.com|b.com>, <http://idp.com|idp.com>
<http://idp.com|idp.com> is our frontend for hydra, <http://a.com|a.com> and <http://b.com|b.com> are first party OIDC clients.
<http://a.com|a.com> and <http://b.com|b.com> both have refresh tokens, <http://idpc.om|idpc.om> uses a cookie to securely talk to hydra.
The refresh tokens and the session for <http://idp.com|idp.com> have a lifetime of 30 days.
<http://a.com|a.com> makes a request on day 1 and gets a new refresh token, <http://b.com|b.com> makes a request 5 days later and also gets a new refresh token.
<http://idp.com|idp.com> does not make any requests after the initial OIDC flow to get <http://a.com|a.com> and <http://b.com|b.com> their tokens.
Then <http://idp.com|idp.com> would expire after 30 days, <http://a.com|a.com> after 31 days and <http://b.com|b.com> after 35 days. Is there any way to synchronize the expirations?

This is currently the missing piece of the puzzle for us to solve our SLO and SSO issues.