When dealing with OpenID Connect (OIDC) and OAuth authentication in a modern .NET application, Identity Server is ofted used as the identity provider. In this post, I’ll work through a common, but quite specific scenario: configuring the lifetime of a client session. In this case, the user of an ASP.NET MVC Client must be logged out of the session after 15 minutes of inactivity. In such a setup, there are a lot of places where you can configure time-outs, lifetimes, expirations etc. So which ones are relevant for the client session and which ones are not? Let’s find out.