Implement Auth Sessions

[nabokihms]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

This issue tracks the implementation of native browser sessions in Dex. Currently, Dex operates statelessly regarding the browser, relying on refresh tokens for long-term access. To support standard OIDC features like SSO, prompt handling, and improved UX, we propose introducing a server-side session entity coupled with encrypted browser cookies.

Implementation

#	Name	Link	Merged
0	DEP: Auth Sessions	#4561	✅
1	UserIdentity CRUD	#4643	✅
2	Create UserIdentity on login and persist users' consent	#4645	✅
3	AuthSessions CRUD	#4646	✅
4	TOTP support	#3712	✅
5	Create AuthSessions and set cookies	#4650	✅
6	auth_time, prompt, max_age	#4662	✅
7	AuthSessions GC	#4667	✅
8	id_token_hint	#4670	✅
9	OIDC RP-Initiated logout	#4674	✅
10	Protobuf session cookie	#4675	✅
11	Cookies encryption	#4676	✅
12	New home page for sessions	#4677	✅
13	prompt_type=select_account	#4678	✅
14	Upstream refresh logic	#4703	➖
15	WebAuthn support	#4704	✅
16	Add SSO	#4705	✅
17	More tests	#4731	✅
18	Logout confirmation	#4734	➖

Proposed Solution

This enhancement aims to bridge the gap in OIDC conformance and enable the following capabilities.

OIDC Features & Logic

• Single Sign-On (SSO)

  • Modify /auth handler to detect valid session cookies.
  • Skip connector selection if a valid session exists.
  • SSO for Password Connectors: Create session upon successful credential validation.
  • SSO for Callback Connectors: Create session upon successful upstream callback (storing upstream tokens if applicable).

• Prompt Parameter Handling

  • Support prompt=none: Return error if no session, otherwise return code immediately.
  • Support prompt=login: Ignore existing session and force re-authentication.

• ID Token Hint

  • Support id_token_hint: Validate the hint against the current session's subject.

User Experience & Lifecycle

• Remember Me

  • Add "Remember Me" checkbox to login views.
  • Consent Persistence
  • Store granted scopes per client.
  • Skip approval view if scopes are already granted for the specific client.

• Logout

  • Implement RP-Initiated Logout.
  • Logic to revoke the AuthSession and cascade revocation to associated Refresh Tokens.

• Security & MFA Foundation

  • 2FA State Management
  • Implement logic to store temporary 2FA state/codes linked to the session before final token issuance.

Alternatives Considered

No response

Additional Information

Relates Issues/PRs:

• Remember Me:

  • feat: DEP #32 "Remember me" for Password-based Connectors #4381
  • "Remember me" when logging in #32
  • question: a way to save approval/grant? #1197

• ID Token Hint:

  • support for id_token_hint #1125
  • Implicit flow: id_token_hint, prompt=none #990
  • handle id_token_hint for implicit login flow #1508

• Logout:

  • End Session Endpoint Support in Dex #1697
  • Support for SLO(Single Logout) support for OIDC connector #3292
  • Roadmap for logout implementation in SAML connector? #1600

• 2FA:

  • Two-factor authentication #352
  • Two-Factor authentication (TOTP) #3712
  • Add One Time Password support. #1270

• prompt:

  • chore: check for prompt=none in authentication requests #4325

• max_age + auth_time:

  • Support auth_time in id_token claims #1052
  • https://dexidp.io/docs/development/oidc-certification/ (we need it to pass conformance OIDC tests)

[nabokihms]

Implementing sessions (specifically the UserIdentity part) can also help us make access tokens smaller #1763