CODEWITHSUNDEEP
asp.net-coreasp.net-core-mvcidentityserver4
user1336
user1336

Reputation: 7205

Cookie middleware and token lifetime in IdentityServer

We have an IdentityServer4, an MVC application as the client and an API as a protected resource. The Client (class in IdentityServer) has the following properties: AccessTokenLifetime, IdentityTokenLifetime, AuthorizationCodeLifetime. If we set these properties to different values (imagine 1hour, 2hours and 3 hours). How do these properties relate to the cookie expiration timespan?

The cookie middleware (on the MVC client) looks like this and has an expiration time of 8 hours. And the cookie middleware on the IdentityServer has an expiration timespan of 10 hours.

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationScheme = "Cookies",
    AutomaticAuthenticate = true,
    ExpireTimeSpan = TimeSpan.FromHours(8)
});

What happens when the token expires before the cookie expires and vice versa and how should this be handled?

Upvotes: 4

Views: 3405

Answers (1)

Scott Brady
Scott Brady

Reputation: 5598

In ASP.NET Core, the three token lifetimes do not affect any client application cookie lifetimes.

The exception to this is if you are using the UseOpenIdConnectAuthentication middleware with the UseTokenLifetime set to true, in which case the cookie lifetime will be set the lifetime of the identity token. Thankfully this is no longer set to true by default in ASP.NET Core like it was in ASP.NET 4.x (after all, identity tokens are typically short lived in OpenID Connect).

If tokens expire whilst a user is still authenticated within your application, you'll need to renew them. This can be done either using refresh tokens or via some sort of silent refresh policy, such as the one found in oidc-client.

Upvotes: 5

Related Questions