Tuesday, October 24, 2017

User not Authenticated when IdentityTokenLifetime expires

By Hường Hana 4:00 AM , , Leave a Comment

What's the correct way to refresh the IdentityToken. We're using Implicit flow.

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions     {         ClientId = ConfigurationManager.AppSettings["IdSrv.ClientId"],         Authority = ConfigurationManager.AppSettings["IdSrv.Authority"],          AuthenticationType = "MySTS",          ResponseType = "id_token token",                  //Implicit Flow           Scope = "openid name email",          RedirectUri = ConfigurationManager.AppSettings["IdSrv.RedirectUri"],         PostLogoutRedirectUri = ConfigurationManager.AppSettings["IdSrv.PostLogoutRedirectUri"],          SignInAsAuthenticationType = "OAuth Bearer",     });

IdentityTokenLifetime defaults to 300 (=5 minutes). When that time expires, the user is no longer authenticated. Should we return a Status 401 (and pass prompt=none), so the middleware redirects to IdentityServer3 and back again? Is there another way?

2 Answers

Answers 1

In theory:

  1. You could increase ttl of cookie, when the user is signed in by openId, and authenticate user by this cookie. If the cookie expires, then you could return 401 or make redirect to sign in again.
  2. Identity server should provide Refresh Token (by api), which used to get another access token if you need.
  3. Another thought: usually, access token provides only for limited period of time because of security reasons

Answers 2

By default the ASP.NET OIDC OWIN middleware uses the identity token lifetime as the lifetime of the cookie your app will issue. This seems to be a hang over from the WS-Federation OWIN middleware, where the incoming token is much longer lived. Since identity tokens are short lived, and typically just used once and then discarded, this behavior doesn't really work for OpenID Connect.

So you have two options:

  1. Set the identity token lifetime much higher for that client within IdentityServer (using the IdentityTokenLifetime property on the Client entity).
  2. Stop the OIDC middleware from using the identity token lifetime as the cookie lifetime. This will allow your cookie middelware to control session lifetime.

You can do this by setting the UseTokenLifetime to false:

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions {     // rest of your settings     UseTokenLifetime = false }
If You Enjoyed This, Take 5 Seconds To Share It

0 comments:

Post a Comment