Reputation: 43
IdentityServer4 refresh token never expires
We are using IdentityServer4 and have an issue on using refresh token.
Here is my client configs: Grant Types: client_credentials hybrid
- Access token lifetime:
- 60
- Identity token lifetime:
- 900
- Absolute refresh token lifetime:
- 240
- Sliding refresh token lifetime:
- 60
- Refresh token usage:
- OneTimeOnly
- Refresh token expiration:
- Absolute
I am checking access token life time and when it is about to be expired I use refresh token to get new access token. After 240 second the access token life time does not extension and my client goes to Identity Server and it issues new set of tokens for my client.
I want my user enter username/password after expiration the refresh token buy Identity Server issue new tokens instead of asking credential.
Any Idea?
Upvotes: 1
Views: 1925
Answers (1)
Reputation: 5264
If I'm understanding correctly you want to force the user to interactively authenticate from your client? If so the max_age=n or prompt=login authorize endpoint parameters can be used to trigger that flow and then you can validate the auth_time claim within your client to ensure it's recent enough.
Currently this is happening without prompting because the user still has a valid IDP session via the authentication cookie. I'd recommend using the above method over and above setting the IDP session to be aligned with your client application session lifetime.
Upvotes: 1
Related Questions
- Refresh token exception in identity server 4
- IdentityServer4 Access token updating
- IdentityServer4 refresh token invalid grant
- Why is the refresh-token expiration not renewed in IdentityServer persistedgrants?
- Refresh token for IdentityServer4
- Identity Server 4 Refresh Token Expiration Not Working
- Refresh tokens Identity Server4
- How to request a refresh token with identityserver4
- Identity Server 3 refresh token expires before its expiration period set in the client configuration
- IdentityServer4 Refresh Token Is Null