11

I configured Identity Server:

public void Configuration(IAppBuilder app)
{
    var factory = new IdentityServerServiceFactory().UseInMemoryClients(new Client[] {
        new Client()
        {
            ClientName = "MyClient",
            ClientId = "MyClientId",
            Enabled = true,
            Flow = Flows.Implicit,
            RedirectUris = new List<string> { "MyClientServer/callback" },
        };
    });
}

and client server:

public void Configuration(IAppBuilder app)
{
    var cookieOptions = new CookieAuthenticationOptions();
    cookieOptions.AuthenticationType = "Cookies";
    app.UseCookieAuthentication(cookieOptions);

    var authenticationOptions = new OpenIdConnectAuthenticationOptions() {
        Authority = "https://MyIdentityServer/core",
        ClientId = "MyClientId",
        SignInAsAuthenticationType = "Cookies",
        UseTokenLifetime = true,
        RedirectUri = "MyClientServer/callback"
    });

    app.UseOpenIdConnectAuthentication(authenticationOptions);
}

When user login with "Remember Me" option Identity cookie has expired date:

idsvr.session    expires 04 October ...

But client cookie does not:

.AspNet.Cookies  at end of session

What should I do to set the same expiration date to client cookie?

UPDATE:

I can set any expiration date in client application:

authenticationOptions.Provider = new CookieAuthenticationProvider()
{
    OnResponseSignIn = (context) =>
    {
        var isPersistent = context.Properties.IsPersistent;
        if (isPersistent) // Always false
        {
            context.CookieOptions.Expires = DateTime.UtcNow.AddDays(30);
        }
    }
};

But I cannot determine when to set expiration date. It should be set only when user selects "Remember Me", but IsPersistent option always false on client side.

The problem exists on simple boilerplate project too: https://identityserver.github.io/Documentation/docsv2/overview/mvcGettingStarted.html

UPDATE2:

I need client cookie to be persistent because of bug in Safari - https://openradar.appspot.com/14408523

Maybe some workaround exists, so I can pass expiration date in callback from Identity to Client?

UPDATE3:

Actually, our Identity and Client servers have same parent domain like app.server.local and id.server.local. Maybe I can pass expiration date via additional cookie that belongs to parent domain (.server.local)? But I have no idea where it can be written on Identity, and where it can be applied on Client.

Artem
  • 1,773
  • 12
  • 30
  • 1
    Questions seeking debugging help ("**why isn't this code working?**") must include the desired behavior, a *specific problem or error and the shortest code necessary* to reproduce it **in the question itself**. Questions without **a clear problem statement** are not useful to other readers. See: [How to create a Minimal, Complete, and Verifiable example](http://stackoverflow.com/help/mcve). – Noctis Skytower Oct 06 '17 at 21:25
  • .Provider is a property of cookieOptions not authenticationOptions – dstr Apr 10 '20 at 08:39

3 Answers3

3

A cookie issued by IdentityServer and a cookie issued by a client application are not linked in any way. IdentityServer does not have any control over cookies in a client application.

When you log in to IdentityServer, you are issued a cookie that tracks the authenticated user within IdentityServer. This saves the user from entering their credentials for every client application, facilitating single sign on.

By default this cookie lasts for that session (so it expires once the browser closes), otherwise if you set "remember me" it will last for a set number of days, across sessions.

A cookie in a client application would be issued upon successful verification of an identity token from IdentityServer. This cookie can have any expiration time, any policy, any name. It's completely controlled by the client application. In your case client cookie expiration can be set in the CookieAuthenticationOptions in your client application.

Scott Brady
  • 5,498
  • 24
  • 38
  • Yes, It is completely controlled by the client application. But I need to set expiration date only when IdentityServer sets it. If IsPersistent flag on IdentityServer side is false, the client side should use a session cookie. See question update. – Artem Oct 09 '17 at 14:11
  • There's no mechanism to do that. This would have to be a custom implementation, off spec. Out of curiosity, what is the need for the persistent client cookie? – Scott Brady Oct 09 '17 at 15:08
  • There is a bug in Safari - http://openradar.appspot.com/14408523, so I need a persistent cookie as a workaround. – Artem Oct 09 '17 at 15:23
  • To clarify, what's the purpose of the `UseCookieAuthentication` middleware within your IdentityServer code? – Scott Brady Oct 09 '17 at 15:39
  • The token authentication solves the problem, but it is an old service and I cannot replace authentication type in the nearest future. – Artem Oct 09 '17 at 15:59
  • I think if you change the name of your cookies (don't have them both use an `AuthenticationType` of "Cookies") and then update your question about what you're expecting, things might become a little more clear. I ask about the `UseCookieAuthentication` middleware inside the IdentityServer app, as it doesn't need to be there for IdentityServer to work. IdentityServer issues its own cookies, no extra middleware needed. – Scott Brady Oct 10 '17 at 07:41
  • I removed `UseCookieAuthentication` from Identity and updated my question. – Artem Oct 10 '17 at 09:58
1

You need to handle the cookie auth events. The open id middleware just creates an auth cookie, so you can handle all aspects of this cookie from those events. You'll need to look at the events and with a little trial and error you should be able to manage the cookie lifetime.

Simon Halsey
  • 5,459
  • 1
  • 21
  • 32
1

You can do it at the java-script by using following code in here I have created this cookie to expires within 14 days.

var exdate = new Date();
exdate.setDate(exdate.getDate() + 14);

document.cookie = "yourcookie=" + yourCookieValue + ";expires=" + exdate.toUTCString() + ";";
Nisal Edu
  • 7,237
  • 4
  • 28
  • 34