-- Outbound OIDC session revalidation (single-logout for a private-network RP the -- IdP cannot reach). A background worker periodically checks each OIDC login -- against its IdP; when the IdP session is gone, the local session is deleted. -- oidc_revalidation_mode: '' / 'off' | 'introspect' (RFC 7662) | 'refresh' (refresh-attempt) -- oidc_introspection_url: the RFC 7662 endpoint (used when mode = 'introspect') -- Sessions keep the refresh token (the session-liveness signal) and the time they -- were last revalidated (for due-based, load-bounded scheduling). ALTER TABLE auth_providers ADD COLUMN oidc_revalidation_mode TEXT NOT NULL DEFAULT 'off'; ALTER TABLE auth_providers ADD COLUMN oidc_introspection_url TEXT NOT NULL DEFAULT ''; ALTER TABLE sessions ADD COLUMN oidc_refresh_token TEXT NOT NULL DEFAULT ''; ALTER TABLE sessions ADD COLUMN oidc_last_revalidated_at INTEGER NOT NULL DEFAULT 0;