Add skip-consent, correctly use 303, rather than 302, actually rename per app 'logout' to 'require re-auth'. Add helper methods for token lifetime - allowing 10d for 10days for example.

app/controllers/active_sessions_controller.rb

@@ -71,7 +71,7 @@ class ActiveSessionsController < ApplicationController
     Rails.logger.info "ActiveSessionsController: Logged out from #{application.name} - revoked #{revoked_access_tokens} access tokens and #{revoked_refresh_tokens} refresh tokens"
 
     # Keep the consent intact - this is the key difference from revoke_consent
-    redirect_to root_path, notice: "Successfully logged out of #{application.name}."
+    redirect_to root_path, notice: "Revoked access tokens for #{application.name}. Re-authentication will be required on next use."
   end
 
   def revoke_all_consents

app/controllers/admin/applications_controller.rb

@@ -104,7 +104,7 @@ module Admin
       permitted = params.require(:application).permit(
         :name, :slug, :app_type, :active, :redirect_uris, :description, :metadata,
         :domain_pattern, :landing_url, :access_token_ttl, :refresh_token_ttl, :id_token_ttl,
-        :icon, :backchannel_logout_uri, :is_public_client, :require_pkce
+        :icon, :backchannel_logout_uri, :is_public_client, :require_pkce, :skip_consent
       )
 
       # Handle headers_config - it comes as a JSON string from the text area

app/controllers/sessions_controller.rb

@@ -86,8 +86,17 @@ class SessionsController < ApplicationController
     end
 
     # Sign in successful (password only)
+    # Preserve the return_to_after_authenticating value across session boundary
+    # (e.g., when max_age flow destroys the session and creates a temporary one)
+    preserved_return_url = session[:return_to_after_authenticating]
+
     start_new_session_for user, acr: "1"
 
+    # Restore the return URL if it was lost during session recreation
+    if preserved_return_url.present? && session[:return_to_after_authenticating].blank?
+      session[:return_to_after_authenticating] = preserved_return_url
+    end
+
     # Use status: :see_other to ensure browser makes a GET request
     # This prevents Turbo from converting it to a TURBO_STREAM request
     redirect_to after_authentication_url, notice: "Signed in successfully.", allow_other_host: true, status: :see_other
@@ -125,7 +134,12 @@ class SessionsController < ApplicationController
         if session[:totp_redirect_url].present?
           session[:return_to_after_authenticating] = session.delete(:totp_redirect_url)
         end
+        # Preserve return URL across session boundary for max_age flow
+        preserved_return_url = session[:return_to_after_authenticating]
         start_new_session_for user, acr: "2"
+        if preserved_return_url.present? && session[:return_to_after_authenticating].blank?
+          session[:return_to_after_authenticating] = preserved_return_url
+        end
         redirect_to after_authentication_url, notice: "Signed in successfully.", allow_other_host: true
         return
       end
@@ -137,7 +151,12 @@ class SessionsController < ApplicationController
         if session[:totp_redirect_url].present?
           session[:return_to_after_authenticating] = session.delete(:totp_redirect_url)
         end
+        # Preserve return URL across session boundary for max_age flow
+        preserved_return_url = session[:return_to_after_authenticating]
         start_new_session_for user, acr: "2"
+        if preserved_return_url.present? && session[:return_to_after_authenticating].blank?
+          session[:return_to_after_authenticating] = preserved_return_url
+        end
         redirect_to after_authentication_url, notice: "Signed in successfully using backup code.", allow_other_host: true
         return
       end