What is the best way to not force the user to login again on Kratos? We have a mobile app with an hour long session. I like that session length. But we don’t want to force the user to login every hour. In our use case, they could be offline for days or more. So, the admin extend session won’t work. Currently we have solved this by storing their username and password on the device in secure storage and calling the login API under the covers when we receive a 403 from our API (and

/whoami

), but this method has always bothered me. But this won’t work with OIDC or other external providers where the app is not directly involved in supplying credentials. This is the step that is preventing us from adopting Kratos for thise users. Is there a better method?

I'm not quite sure why you want to limit the session lifespan to one hour in your case. By storing the password, you essentially store unlimited sessions, with additional security issues. You should really extend the session lifespan to be valid for longer, as storing the session cookie should be as secure as storing the password. What you can do as well, based on the use-case, is ask the user to re-authenticate before they can do "critical" operations. This is what we call privileged sessions for Kratos-specific critical operations (like changing the password). You can just compare the sessions

authenticated_at

timestamp with the current time to decide whether the session is "recent enough" depending on the operation. If not, you can force the user to re-authenticate: https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#refreshing-user-session

Thanks for the advice. This was helpful.