Support for persistent offline authentication for SSO/OIDC users (Offline-First SSO)

[raphaelkenyuri]

Is your feature request related to a problem? Please describe.
In ALMANACH clinical workflows, nurses/CHWs/Doctors operate in zero-connectivity zones for extended periods. Currently, if an SSO/OIDC session expires while offline, the CHT redirects to the Identity Provider (IdP) login page. Since there is no internet, the clinician is locked out of the app, preventing access to life-saving clinical algorithms and patient data.

Describe the solution you'd like

• Enable Persistent Offline SSO so that users who have logged in online once can continue to access the app offline indefinitely (or for a long configurable period).
• Offline Token Persistence: Securely store OIDC refresh tokens/sessions locally.
• Parity: SSO users should have the same offline reliability as native CHT users.

Describe alternatives you've considered

• Extending Session Cookies: Increasing web session TTLs is insecure, non-compliant with IT security policies

Additional context
This is critical for the ALMANACH project. In remote clinical settings, an SSO timeout is a "system failure" that blocks patient care.

[jkuester]

Currently, if an SSO/OIDC session expires while offline, the CHT redirects to the Identity Provider (IdP) login page. Since there is no internet, the clinician is locked out of the app

This behavior is unexpected on several levels.

Once a user has logged in via SSO, their CHT session should not expire until their CouchDB cookie expires. This should happen one year after their last request. So long as the user has a valid CouchDB session cookie, the CHT should never redirect back to the IdP.

Secondly, the CHT app should never automatically trigger a user to be logged out when offline (e.g. when not able to communicate to the CHT server). Even if a user's cookie expires (when they have been offline for 1+ year), the app should still continue to function as expected while offline. It is only when the app comes back online and connects to the server to try and sync that a re-login will be required due to the expired cookie (but once again, this should only happen when the user has been offline for 1+ year).

---

I have been trying to think of possible theories to explain this behavior. How do you know the SSO/OIDC session is expiring? Are they totally offline or just somewhere with sparse connectivity? Is this happening for all SSO users or just some?

Are there multiple people using the same device and they are manually logging out and trying to log back in?

Are you using a custom value for couch_httpd_auth.timeout?

Offline Token Persistence: Securely store OIDC refresh tokens/sessions locally.

This should not be necessary because the CHT just uses OIDC for the initial user authentication. Nothing about the user's OIDC session is stored/maintained on the CHT side. Once the CHT server completes the initial OIDC auth flow, it issues a CouchDB cookie to the user and from that point on, the user's session should behave exactly like other non-SSO users.