[Feature] Use OAuth2 access_token and refresh_token

[waclaw66]

I have searched the existing feature requests to make sure this is not a duplicate request.

• Yes

The feature

I've noticed that oauth2 usage is quite simplified within Immich. According my investigation it's used only for first authentication and then the internal access token without time restriction is used only. When the access to the app is banned to the user, Immich can be still used without any restriction until logout.
I would suggest to store access_token and refresh_token to the sessions table and use those properly when auth provider tokens are expired.

Platform

• Server
• Web
• Mobile

[alex3025]

Me too would like this feature to be implemented. Right now, having OIDC authenticating only the "first" login is a bit useless.

[n0r]

This and to add: It would be great Immich would have SLO / Back-Channel Logout implemented to invalidate user sessions if the IdP session has ended. And/Or the default session lifespan could be configured via an .env variable. Currently the hardcoded default is 400 days, which makes it impossible to have a shorter Session time than on IdP side. This means if a useraccount is locked (e.g. after security events on IdP side) the user session for Immich remains valid.

[HowardRoeske]

Looking for an existing SLO feature request (either back-channel or front-channel) is what lead me here. Honestly both that and the originally-proposed access_token and refresh_token support to help limit session length would be really useful and greatly appreciated.

That said, they are pretty different features. Should they stay combined here, or should a new feature request be opened for SLO?