I am using Identityserver3 as my IDP. my RP is an MVC5 .net web application. The web application uses the idtoken to create its authentication cookie. It passes the access token to authenticate to a Web API over Rest calls.
My idtoken is valid for 5 minutes My access token is valid for 60 min Once the user authenticates himself, the auth_cookie lifetime is 20 minutes with sliding expiry.
My web application startup code as below -
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies",
CookieHttpOnly = true,
CookieSecure = CookieSecureOption.Always,
ExpireTimeSpan = TimeSpan.FromMinutes(sessionExpiryMinutes),
SlidingExpiration = true
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
Authority = authority,
ClientId = clientId,
ResponseType = responseType,
SignInAsAuthenticationType = "Cookies",
Scope = scope,
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
UseTokenLifetime = false, .....
When the user remains idle for 20 minutes, the application cookie expires, user is redirected to identity server and new cookies are issues.
The issue comes up when the user keeps the session active and if the user is active on the 60th minute, the Access Token expires and the API that consumes this access token issues A 401 to my Web application. At this point the web application's cookie is still valid but its unable to communicate to the API since the access token is invalid.
Am i doing the right thing here? Shall i signout the user if the access token expires or shall i extend the access tokens validity to a longer duration say 5 hours to fix this issue? Or shall i make the cookie non sliding? A non sliding cookie would confuse the end user since, he will be using the application and he will be suddenly redirected to the IDP
EDITED: I use the implicit flow and hence i couldn't avail the refresh token.
