Reputation: 227
Why does my IdentityServer4 based server timeout in 30 minutes and only support SSO in the first 30 minutes?
I have an application system that developed based on IdentityServer4 and .NET Core 2.0. Just recently I noticed that log into the server will timeout in 30 minutes regardless of user activity. Client applications cannot launch other SSO enabled applications after the 30 minutes boundary. After 30 minutes, launching any new app will force user login. I looked at the cookies that might affect the SSO functionality, there are three: AspNetCore.Identity.Application, Identity.External and idsrv.session. But they are all browser session cookies. I don’t see how they would timeout. Anyone knows what’s going on?
My related settings:
- Absolute Refresh Token Lifetime: 2592000
- Access Token Lifetime: 3600
- Authorization lifetime 300
- Identity Token Lifetime: 300
Upvotes: 4
Views: 6156
Answers (3)
Reputation: 1934
Digging though source code I found that the cause is missing SecurityStamp claim (default name: AspNet.Identity.SecurityStamp) in auth cookie (.AspNetCore.Identity.Application). After 30 minutes (default value for options.ValidationInterval) security stamp is validated against stamp in the store. If it's missing in cookie - validation fails immediately.
So the solution would be to put security stamp in the cookie.
In my case problem was caused because I was using wrong Sign-In method: HttpContext.SignInAsync instead of build-in Asp.Net Identity SignInManager.SignInAsync which is preferable to use in most cases. SignInManager.SignInAsync puts that claim in the cookie.
Upvotes: 1
Reputation: 227
mode777 is right. This issue is not related to IdentityServer4 nor OpenID Connect. It's related to the AspNetCore.Identity. I find this link very helpful and solved my timeout issue by adding a line like this:
services.Configure<SecurityStampValidatorOptions>(options => options.ValidationInterval = TimeSpan.FromHours(24));
So, what happened is this: After the 30 mins default interval, a request to the server will go through the user security stamp check. For some unknown reason, the logic that checks my user security stamp think the stamp is invalid and hence calls SignInManager's SignOutAsync, which kills everything. What I still don't understand is that my user security stamp is never changed! It shouldn't cause the invalidation. For now, I will let my application works with a much longer check interval, and will keep an eye on the security stamp.
Upvotes: 3
Reputation: 3197
First of all this is not a Identity Server 4 or OpenID Connect related issue. This concerns the local login probably goverened by Asp.Net Identity which is probably Cookie based (It all depends on your configuration - Startup.cs would be nice).
You can configure the session timeout for Asp.Net Identity which is described here: ASP.NET Identity Session Timeout
Have you tried that?
Upvotes: 2
Related Questions
- Infinite authentication loop when using identityserver4 in asp.net core 2.0
- IdentityServer4 automatically logout after 30 minutes
- Identity Server 4 Authentication Too Slow
- Session Timeout when using IdentityServer4 and Oidc client causing Silent Renew to stop working
- How to handle idle session timeout across client apps and Identityserver4
- Slow response from Identity Server 4.0 (asp.net core 2.0) on connect/token endpoint on high load
- IdentityServer handling timeouts and subsequent redirects
- ASP.NET Core Identity 3 Cookie timeout
- Why is AccessTokenValidation so slow on our IdentityServer3 instance?
- ASP.NET Identity Session Timeout