ASP.NET Core Identity expiration (Google OAuth)

Question

I am currently using ASP.NET Core Identity. I cannot figure out the setting to extend the session length but I keep getting logged out - I assume there's a sliding expiration of ~20 minutes, but I can't find the setting. Note, I am using Google as external OAuth.

        services.AddIdentity<ApplicationUser, IdentityRole>(o =>
            {
                o.Password.RequireDigit = false;
                o.Password.RequireLowercase = false;
                o.Password.RequireUppercase = false;
                o.Password.RequireNonAlphanumeric = false;
                o.Password.RequiredLength = 6;
                o.SecurityStampValidationInterval = TimeSpan.FromHours(8);
                o.Cookies.ExternalCookie.ExpireTimeSpan = TimeSpan.FromHours(8);
                o.Cookies.ApplicationCookie.ExpireTimeSpan = TimeSpan.FromHours(8);
            })
            .AddEntityFrameworkStores<ApplicationDbContext>()
            .AddDefaultTokenProviders();


        app.UseIdentityServer();

        app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
        {
            Authority = $"http://localhost:55504/",
            RequireHttpsMetadata = false,
            AllowedScopes =
            {
                IdentityServerConstants.StandardScopes.OpenId,
                IdentityServerConstants.StandardScopes.Profile,
                IdentityServerConstants.StandardScopes.Email,
                "name",
                "given_name",
                "family_name",
                "role"
            }
        });

        var googleOptions = serviceProvider.GetRequiredService<GoogleOptions>();
        app.UseGoogleAuthentication(new GoogleOptions
        {
            AuthenticationScheme = "Google",
            SignInScheme = "Identity.External",
            ClientId = googleOptions.ClientId,
            ClientSecret = googleOptions.ClientSecret
        });

Possible duplicate of [Cookie Authentication expiring too soon in ASP.NET Core](https://stackoverflow.com/questions/45595615/cookie-authentication-expiring-too-soon-in-asp-net-core) — SteelToe, Dec 27 '17 at 19:14
Where and how you are hosting your application? IIS? Azure App Service? Then you need to enable data protection, so your encryption key for the cookies survives the application restart. See [my answer here](https://stackoverflow.com/a/47559544/455493) — Tseng, Dec 27 '17 at 21:32

ttugates · Answer 1 · 2017-12-27T21:47:26.700

This question\answer is specific to Identity Server 4.

You would do something like in your Configure:

app.UseGoogleAuthentication(new GoogleOptions
{
    SignInScheme = "Identity.External", // this is the name of the cookie middleware registered by UseIdentity()
    ClientId = Configuration["ExternalAuthentication:Google:ClientId"],
    ClientSecret = Configuration["ExternalAuthentication:Google:ClientSecret"]
});

app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
    Authority = $"http://localhost:55504/",
    RequireHttpsMetadata = false,
    AllowedScopes =
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile,
        IdentityServerConstants.StandardScopes.Email,
        "name",
        "given_name",
        "family_name",
        "role"
    }
        // CookieLifetime default is 10 Hours
        Authentication.CookieLifetime = TimeSpan.FromHours(24);

        // Default CookieSlidingExpiration = false;
        Authentication.CookieSlidingExpiration = true;   
});

and in your ConfigureServices

    // Identity
    // https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity
    // http://docs.identityserver.io/en/release/quickstarts/6_aspnet_identity.html
    services.AddIdentity<ApplicationUser, IdentityRole>(o => {
            // configure identity options
            o.Password.RequireDigit = false;
            o.Password.RequireLowercase = false;
            o.Password.RequireUppercase = false;
            o.Password.RequireNonAlphanumeric = false;
            o.Password.RequiredLength = 6;
        })
            .AddEntityFrameworkStores<AuthDbContext>()
            .AddDefaultTokenProviders();

That won't help him when the application recycles and the encryption key is lost and on next start a new encryption key is generated — Tseng, Dec 27 '17 at 21:33
I gave an off the cuff answer admittedly. But I will update my answer with code that is currently working between server restarts, with Google OAuth, hosted on Azure, using MS Identity and IdentityServer 4. The name "Idenity" is part of 2 separate packages in his code. — ttugates, Dec 27 '17 at 21:39
The issue doesn't occur through a token workflow from IS4, it's through the OOB AccountController and CookieAuthentication - I will try to disable IS4 and see if the error still exists. — Kerry Ritter, Dec 28 '17 at 22:20

ASP.NET Core Identity expiration (Google OAuth)

1 Answers1