Reputation: 4087
IdentityServer with Sliding Expiration Never Logs User Out
Most of the questions I found here on SO have the opposite problem - i.e. the session does not slide. My problem is that it never seems to stop.
The only way I am able to get automatically logged out for an expired session is if I make the window absolute (SlidingExpiration = false).
I'm using IdentityServer 4 with ASP.NET Identity for the backing user store.
The configuration of the cookie which I currently have is:
services.AddIdentity<IdpUser, IdentityRole<int>>()
.AddEntityFrameworkStores<IdpDbContext>()
.AddDefaultTokenProviders();
// Note ASP.NET identity uses a cookie called "Identity.Application"
services.ConfigureApplicationCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(15); // for testing purposes
options.SlidingExpiration = true;
});
Our client is a Vuejs app using oidc-client.js to manage the tokens.
I've reduced all of the lifetimes in the client-configuration down to 300s (including the access token). So, it gets a new access_token every 300s.
I would expect that if I logged in, walked away for more than 15 minutes and came back, I would have been logged out. But this is not the case. It keeps getting new tokens.
Even if I refresh the whole page, I am still not logged out.
Following further investigation, I believe the constant polling which oidc-client.js does is extending the sliding window for the authentication cookie. This is a theory based on observed behavior. I increased the duration of the access_token lifetime such that it was longer than the authentication cookie. In this case, the user was logged out after the auth cookie expired. Presumably because the client did not request another access_token in that time (and thereby extending the window).
So it seems that the sliding window will keep sliding until the SlidingRefreshTokenLifetime is reached, which defaults at around 15 days.
Is reducing the SlidingRefreshTokenLifetime down to something like 3 hours likely to be my answer?
Thanks
Upvotes: 0
Views: 2129
Answers (1)
Reputation: 7439
My guess is you are overriding it unknowingly since its poorly documented, double check if you are using the Token Lifetime so you are not overriding it. SlidingExpiration is on your Cookie middleware only.
To fix it, try to set UseTokenLifetime = false;
Double check/set it up both in openIdOptions on client and CookieOptions on IdentityServer middleware.
Update/Response to comment:
@onefootwill, yes please these are very much part and parcel of IdentityServer4 & Asp NET Core 2,3 & 5, please look at the official documentation picture below
Identity Server 4
Microsoft
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
...
UseTokenLifetime = false,
...
});
Client
For JWT did you setup your client with the access the refresh token, there are two make sure you configure those as well. Refresh token
var idsClient = new Client
{
ClientName = configuredOption.Name,
ClientId = configuredOption.ClientId,
RequireConsent = false,
RequirePkce = false,
AllowOfflineAccess = true,
AllowAccessTokensViaBrowser = true,
// Double check how you configure ** RefreshTokenUsage
// you can do one time or other options
RefreshTokenUsage = TokenUsage.OneTimeOnly,
RefreshTokenExpiration = TokenExpiration.Sliding,
AccessTokenLifetime = new TimeSpan(2,0,0).TotalSeconds,
//AccessTokenLifetime = 7200, //2 hours
AbsoluteRefreshTokenLifetime = xx, // set this up
SlidingRefreshTokenLifetime = yy // set this up
};
Update 2 for oidc-client-js should work in your vue.js
Out of the box I don't think its there, but you can implement/make user re-login after a time of inactivity
In your oidc-client-js configure automaticSilentRenew to false & Setup your UserSsoLifetime good sample code/question and quick startUI from github
- Implement your own logic to indicate user inactivity and call SigninSilent API, sample code. After the inactivity to get user to user to expire/re-login:
automaticSilentRenew = falseconfigure this
UserSsoLifetimein Identity server configuration "The maximum duration (in seconds) since the last time the user authenticated...."
Upvotes: 3
Related Questions
- ASP.Net identity slidingexpiration set to true does not re-issues cookie
- ASP.NET Core 3.1 / Identity session never expires. How can I get it to expire on sliding expiration?
- IdentityServer4 + ASP.Net Core Identity Signout from Client does not logout on ID4
- Identity Server 4 Signout - Token Lifetime
- Identity Server 4 forced logout users
- IdentityServer4 Handling Logout Correctly
- Sliding expiration session cookie using IdentityServer3
- asp.net Identity user session not expiring using authenticationProperties
- My user isn't logged out after the session expires using asp.net identity 2.0
- ASP.NET Identity signout fails if inactive for longer than security stamp validation interval