I have configured an IdentityServer with several clients, some of them are native applications using the Hybrid flow (Desktop, iOS, doesn't really matter).
I want to force a logout on a user who's inactive for over X minutes, and if possible to redirect to the login page again.
I could manage to achieve this by using short-lived Refresh Tokens with RefreshTokenExpiration = true, and SlidingRefreshTokenLifetime = *DesiredTimeoutTime*, and before every call to an API, the client first refreshes the user's Access Token. That in fact overloads the session management idle timeout to the Refresh Token's expiration time.
But that's not how it was designed to be used. Refresh tokens are supposed to be long lived.
Moreover, for every call to an API the client will refresh it's access token, and since I'm using a persistent store for my grants (specifically SQL Server using the built in EF support), that means I'm putting way more than I ever wanted on my IDs DB.
I specified that I'm using a native application since I know it (probably) could be achieved using cookies for a browser based application but yet again, those don't work very well with native applications (for all that I know, feel free to correct me if I'm wrong). If it is possible to achieve with cookies somehow - I'd love to hear.
In general I'm really lack of knowledge about the relationship of Identity.Application cookie vs Access Token. It is somehow confusing.
Anyhow, I'm looking for a more elegant solution, if there is one.
Thanks.
