Skip to main content

Documentation Index

Fetch the complete documentation index at: https://auth0-feat-session-expiry-oidc-ipsie.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Session Expiry is supported for Okta and OIDC Enterprise connections only. It is not available for Microsoft Entra ID (Azure AD) connections. Microsoft does not include the session_expiry claim in Entra ID Tokens.
Auth0 supports the session_expiry claim based on the IPSIE SL1 OpenID Connect Profile for Okta and OIDC Enterprise connections. When enabled, Auth0 captures the session_expiry value from the upstream identity provider (IdP) and includes the ID Token issued to your application. The session_expiry claim ensures Auth0 and applications sessions cannot outlive the session the upstream IdP originally established.

Before you start

Before enabling session expiry enforcement:
  • Your tenant must have the id_token_session_expiry_federated feature flag enabled. Contact Auth0 Support to request enablement.
  • You must have an existing Okta or OIDC Enterprise connection.
  • The upstream identity provider must emit a session_expiry claim in its ID Token.

How it works

When a user authenticates through a session_expiry-enabled Enterprise connection, Auth0:
  1. Captures the session_expiry claim from the upstream IdP’s ID Token.
  2. Computes the effective session expiration as the minimum of the tenant’s configured absolute session lifetime, the upstream session_expiry value, and any value set by a Post-Login Action.
  3. Includes the computed session_expiry value in the ID Token issued to your application.
The session_expiry claim is a UNIX timestamp in seconds representing the absolute expiration limit for the user’s session: 
{
  "iss": "https://YOUR_AUTH_DOMAIN.auth0.com/",
  "aud": "YOUR_CLIENT_ID",
  "sub": "oidc|user@example.com",
  "iat": 1748534400,
  "exp": 1748538000,
  "session_expiry": 1748566800
}
ClaimWhat it representsScope
expID Token lifetime (typically minutes)Token validation
session_expiryApplication session ceiling (hours or days)Session management
Idle timeoutInactivity limitSeparate, configured in tenant settings
The session expiry claim is not a replacement for exp. The ID Token’s own exp remains short-lived and unchanged. session_expiry is a session-level limit included with the token claims. session_expiry is fixed at login. It is set once when the user authenticates and is not updated when tokens are refreshed. A user already logged in before this feature is enabled will not have session_expiry on their existing session; the claim only appears after their next login.
This feature addresses scheduled session expiry only. For real-time session revocation, like when a user is off-boarded mid-session, we recommend you use Back-Channel Logout.

Enable session expiry enforcement

Configure session expiry enforcement on your Enterprise connection using the Auth0 Dashboard or Management API.
  1. Navigate to Authentication > Enterprise in the Auth0 Dashboard.
  2. Select the Okta or OIDC Enterprise connection you want to configure.
  3. Select the Settings tab.
  4. Enable Enforce upstream session expiry (IPSIE).
  5. Select Save.

SDK behavior

If you use Auth0 SDKs, session expiry is enforced automatically with no changes to your application code. The SDK reads session_expiry at login, persists it with the session, and treats the session as expired once the current time reaches or passes session_expiry:
SDK typeHow expiry is enforced
Regular Web App (Next.js, Express, Python)Middleware clears the session and redirects with prompt=login; getAccessToken() throws SessionExpiredError
Single-Page App (React, Angular, Vue)getTokenSilently() / getAccessTokenSilently() rejects and triggers re-login with prompt=login
Mobile (iOS/Swift, Android/Kotlin)CredentialsManager.credentials() returns noCredentials and the app’s existing login path handles re-authentication
When a session expires due to thesession_expiry claim, the SDK behaves the same as it would for any other session expiry: the user is redirected to log in. No additional error handling is required.

Session expiry value in your app (optional)

Your application can read session_expiry to show users a session-expiring warning or to bind your application’s own session lifetime to the upstream IdP’s value. 
const claims = await auth0.getIdTokenClaims();
const sessionExpiresAt = claims?.session_expiry;   // Unix seconds
const remainingSeconds = sessionExpiresAt - Math.floor(Date.now() / 1000);
Do not persist the session_expiry value in a long-lived store, such as a cookie or localStorage, without re-validating it on each read. The value is only meaningful relative to the current wall-clock time.

Customize session behavior with Post-Login Actions

A Post-Login Action can read the upstream IdP’s session_expiry value and use it to control session and token behavior. If you need to enforce a stricter expiry than the IdP asserts, you can set the session to expire sooner. However, the Action-set value is capped by the IdP’s session_expiry and the session cannot extend beyond what the IdP permits. 
exports.onExecutePostLogin = async (event, api) => {
  const idpExpiry = event.authentication?.session_expiry;
  if (idpExpiry) {
    // Bind the Auth0 session to the IdP's session_expiry value.
    api.session.setExpiresAt(idpExpiry);
    // Ensure the claim appears in the ID Token.
    api.idToken.setCustomClaim("session_expiry", idpExpiry);
  }
};
To enforce a shorter session, pass an earlier timestamp to setExpiresAt. For example, if you want to enforce an 8 hour session regardless of the IdP’s session Passing a value later than idpExpiry has no effect; the IdP’s value remains the ceiling. To learn more about the api.session methods available in Post-Login Actions, read Configure Session Lifetime.

Verify in tenant logs

After enabling session expiry enforcement, verify the feature is working by checking tenant logs. Navigate to Auth0 Dashboard > Monitoring > Logs and look for a successful login (s) event for a user authenticating through the configured Enterprise connection. When the upstream IdP’s session_expiry is less than or equal to your tenant’s configured absolute session lifetime, the log entry includes the idp_session_expiry field (a Unix timestamp in milliseconds): 
{
  "type": "s",
  "description": "Success Login",
  "details": {
    "idp_session_expiry": 1748566800000
  }
}
If idp_session_expiry is absent from the s log, the upstream IdP either did not assert a session_expiry claim or its value exceeds the tenant’s configured maximum — in which case the tenant’s own absolute session lifetime is the ceiling.

Disable session expiry enforcement

  1. Navigate to Authentication > Enterprise in the Auth0 Dashboard.
  2. Select the connection you want to configure.
  3. Select the Settings tab.
  4. Disable Enforce upstream session expiry (IPSIE).
  5. Select Save.

Learn more