Is there a way to invalidate session cookie, when refresh token expires

[skatanski]

Version: 7.0.8

.net 8

From documentation, I can see it's possible to synchronize refresh token's lifetime with session cookie in a way that clears refresh tokens when session cookie expires. I can't find, if the other way around is possible - to make it so that session cookie expires, when the refresh token expires. We'd like the user on the front-end side to have to manually re-authenticate, when refresh tokens have expired, with this change being triggered by the back-end.

[skatanski]

I've investigated it a bit more, and I can see I could implement something like this in the RefreshTokenStore (whenever a refresh token is removed) or in my own implementation of DefaultRefreshTokenService. I could query session store and remove any sessions referenced to a given user/client. But perhaps there's a better way to do it, and if there are any counterpoint/or would it be considered bad practice by adding such functionality in the classes I've mentioned.

[RolandGuijt]

Setting the CoordinateClientLifetimesWithUserSession option in combination with server side sessions should work. Both the session lifetime and refresh token lifetime should be the same.

The session by default has sliding expiration. Whenever the refresh token is used, then the session is renewed. So if the refresh token isn't used and expires after X hours, then the session will expire at the same time.
The only case where the session would survive past the refresh token is if the user interacts with the IdentityServer but not the client app.