0

I am working with Identity Server 3 on the service and oidc-client.js in my front end. The client setup in Identity Server does not set the token lifetime options, so should have the default values of 300s (5min) for the identity token lifetime and 3600s (60min or 1hr) for the access token lifetime. My client app requests and receives both an identity token and an access token. The oidc-client user object exposes expiration information about the access token. But how can I tell when the identity token has expired? Or maybe more to the point, which token should represent a still valid login/authentication? My code is currently using the user object expiration data to determine if a user is authenticated, but now that I realize that's the access token expiration, I'm not sure that's the right thing to do. Same question asked another way: If a user logs in and gets an identity token that's valid for 5 minutes and an access token that's valid for 60 minutes, when does that user's authentication expire and how does the client app know it has expired?

Zoe
  • 856
  • 1
  • 9
  • 22
  • As per OpenId Connect standard you shold be worried about only the access_token, Identiy token is more about session and i can see handled and stores in browser. I use access_token and renew that token before it expires every time. SO my server always receives latest token for security reasons What flow you are using for authentication.? – Sohan Apr 03 '18 at 05:58
  • My client is an Angular JS front end and I am using Implicit flow. And I am, as you suggest, working solely with the access token. I'm still a little unclear about the purpose of the identity token. Maybe it plays a role when you're using Identity Server solely for authentication (identity) and not for authorization (access). Maybe when you're doing both, the access token sort of supersedes the identity token? – Zoe Apr 03 '18 at 12:22
  • well there is the case where the session expires at the Identity Provider so after the hour you will need to authenticate again .The oidc-client library monitors the session at the OP for this identity token is used ,for that purpose there is a property named "monitorSession" within odic-client to monitor if a user has logged out at the OP. access_token is pure form of authorization token where as identity token is kind of session – Sohan Apr 03 '18 at 13:47
  • You say "the session expires at the Identity Provider so after the hour...", but if you're talking about "after the hour", that sounds like the access token lifetime, which defaults to an hour. The default identity token lifetime is 5 minutes and nothing happens in my code after that 5 minutes and, based on the oidc-client, I think I'd be hard-pressed to make anything happen, since it doesn't appear to expose that expiration. – Zoe Apr 05 '18 at 13:28

0 Answers0