// Test OAuth2 token refresh and session expiry locally. Use when working on auth, tokens, SSO, OIDC, or session management features.
Set up a new git worktree for this repo by copying gitignored files (bin/) and building server assets so pnpm dev works without errors
Instructions for running the UI against a local Temporal server build instead of the built-in CLI dev server. Use when asked how to start the dev environment, run the UI locally, or connect to a local Temporal repo.
Migrate a Svelte 4 component to Svelte 5 runes syntax. Use when asked to migrate, convert, or upgrade a .svelte file to Svelte 5.
| name | auth-testing |
| description | Test OAuth2 token refresh and session expiry locally. Use when working on auth, tokens, SSO, OIDC, or session management features. |
Test OAuth2 authentication flows locally using the built-in OIDC server.
pnpm dev:with-auth
This starts:
| File | Purpose |
|---|---|
server/config/with-auth.yaml | UI server auth settings (maxSessionDuration, providers) |
utilities/oidc-server/support/configuration.ts | OIDC server TTLs (token expiry, session duration) |
Test that tokens refresh automatically before expiry.
Config: AccessToken TTL (60s) < maxSessionDuration (2m)
Steps:
/auth/refresh request that renews tokensTest that sessions expire and force re-login.
Config: maxSessionDuration = Session TTL (both 2m)
Steps:
Test long-lived sessions with only token refresh.
Config changes:
# server/config/with-auth.yaml
auth:
maxSessionDuration: 0 # Disable session limit
// utilities/oidc-server/support/configuration.ts
ttl: {
Session: 60 * 60 * 24, // 1 day
}
The maxSessionDuration config enforces a hard limit on how long a user can stay logged in, independent of token expiry.
session_start cookie with current timestampmaxSessionDuration# server/config/with-auth.yaml
auth:
enabled: true
maxSessionDuration: 2m # Duration string (e.g., 30m, 1h, 24h)
# Set to 0 or omit to disable
| Mechanism | Controls | Behavior on expiry |
|---|---|---|
| Token TTL | How often tokens refresh | Silent refresh via /auth/refresh |
| maxSessionDuration | Total session lifetime | Full re-authentication required |
AccessToken TTL < maxSessionDuration → Enables token refresh
Session TTL = maxSessionDuration → Forces re-auth at OIDC on expiry
RefreshToken TTL > Session TTL → Allows refresh within session
| Setting | Value | Location |
|---|---|---|
| Access Token TTL | 60s | OIDC config |
| ID Token TTL | 60s | OIDC config |
| Refresh Token TTL | 1 day | OIDC config |
| OIDC Session TTL | 2m | OIDC config |
| Max Session Duration | 2m | UI server config |
The Go server logs token validation:
[Auth] Setting refresh token cookie (length: X)
[JWT Validation] Token valid, expires at X (time remaining: X)
In browser DevTools > Application > Cookies:
user0, user1... - Base64 encoded user data (short-lived)refresh - HttpOnly refresh token (long-lived)session_start - Session start timestamp (HttpOnly)# Get OIDC discovery
curl http://localhost:8889/.well-known/openid-configuration
# Manual token refresh (requires valid refresh cookie)
curl -X GET http://localhost:8081/auth/refresh --cookie "refresh=<token>"
server/server/route/auth.go - Auth routes and callbacksserver/server/auth/auth.go - Token validation and session managementserver/server/config/config.go - Auth config structsrc/lib/utilities/auth-refresh.ts - Client-side refresh logic