How to stay signed in with identity server 4?

Question

Here I am trying to implement "Stay Signed in" functionality with identity server 4 so that if user does not sign out it will keep login unlimited time, but I cant. I have tried with client settings to increase token life time unlimited (a big number) but it does not work. Have you done this yet?

Is this possible by setting any combination of followings with some values?

AuthorizationCodeLifetime = 5, 
IdentityTokenLifetime = 5,                
AccessTokenLifetime = 5, 
AllowOfflineAccess = true,                  
AbsoluteRefreshTokenLifetime = 5, 
RefreshTokenUsage =  TokenUsage.ReUse,
RefreshTokenExpiration = TokenExpiration.Absolute,
UpdateAccessTokenClaimsOnRefresh = true, 
SlidingRefreshTokenLifetime = 5, 
AllowRememberConsent = false

Is there any different way to implement this functionalities?

This is the full client config:

            new Client
            {
                ClientId = "uilocal",
                ClientName = "UI development",
                AllowedGrantTypes = GrantTypes.Implicit,
                AllowAccessTokensViaBrowser = true,
                RequireConsent = false,

                RedirectUris = {"http://localhost:5004/index.html"},
                PostLogoutRedirectUris = 
               {"http://localhost:5004/index.html"},
                AllowedCorsOrigins = {"http://localhost:5004"},

                AllowedScopes =  new List<string>
                    {
                       IdentityServerConstants.StandardScopes.OpenId,
                       IdentityServerConstants.StandardScopes.OfflineAccess,
                       IdentityServerConstants.StandardScopes.Profile,
                       IdentityServerConstants.StandardScopes.Email,
                       "api1",
                       "mvc5",
                       "jsreport"
                    };

                AuthorizationCodeLifetime = 5,
                IdentityTokenLifetime = 5,
                AccessTokenLifetime = 5,

                AllowOfflineAccess = true,
                AbsoluteRefreshTokenLifetime = 5,
                RefreshTokenUsage =  TokenUsage.ReUse,
                RefreshTokenExpiration = TokenExpiration.Absolute,
                UpdateAccessTokenClaimsOnRefresh = true,
                SlidingRefreshTokenLifetime = 5,
                AllowRememberConsent = false
             }

Here to mention I have enabled IsPersistent on login:

    AuthenticationProperties properties = null;
         if (loginInputModel.RememberLogin)
          {
              properties = new AuthenticationProperties
                {
                  IsPersistent = true
                };
          }

 HttpContext.Authentication.SignInAsync(user.Id, user.UserName, properties);

Here to mention I am using Implicit from angular application, consume APIs by passing access token with request header.

Any help on this is appreciated in advance. Thanks.

Answer 1

It seems that it is not clear how the tokens should be used.

On login request both an access token and refresh token (include the offline_access scope in the token request). The refresh token is available in the hybrid, authorization code and resource owner password flows.

The access token should be short-lived (e.g. five minutes, one hour), while the refresh token should be long-lived. E.g. 30 days.

Why? Because an access token is hard to revoke in case it is intercepted. It is a self-contained package, that can't be altered (an alternative can be a reference token). So for security reasons it should be short-lived. That makes it less attractive to 'hack'.

That is why the refresh token should be long-lived, you'll need it to request a new access token. Problem with this is that the refresh token should never be intercepted, as it gives unlimited access until it expires. So the client must be able to 'keep a secret'. It is however easier to revoke a refresh token. You can also 'update' the refresh token on every request for access token.

A refresh token is only used to request a new access token. You can request a new token at any time, even if the current access token isn't expired yet. But more likely you will request a new token when the access token is about to expire or did expire.

You can send the refresh token to IdentityServer, without having to bother the user to enter credentials.

And so on, until the refresh token itself expires. In that case you'll force the user to login at least every 30 days. But if you don't want that either you can choose to use sliding expiration.