-1

I'm using the Identity Server 3 OpenID Connect to create a Hybrid client that will have long-lived access (Allowing users to stay signed in for 5 years without needing to enter their credentials)

I have defined an In-Memory configuration store client like so:

new Client
{
    Enabled = true,
    ClientId = MyClientApp.Id,
    ClientUri = MyClientApp.Uri,
    ClientName = MyClientApp.Name,
    Flow = Flows.Hybrid,
    AllowAccessToAllScopes = true,
    IdentityTokenLifetime = 300,
    AccessTokenLifetime = 3600,
    RefreshTokenExpiration = TokenExpiration.Absolute,
    AbsoluteRefreshTokenLifetime = (int)TimeSpan.FromDays(1825).TotalSeconds,
    RefreshTokenUsage = TokenUsage.OneTimeOnly,
    UpdateAccessTokenClaimsOnRefresh = true,
    RequireConsent = false,
    RedirectUris = new List<string>
    {
        MyClientApp.Uri
    },
    PostLogoutRedirectUris = new List<string>
    {
        MyClientApp.Uri
    },
    ClientSecrets = new List<Secret>
    {
        new Secret(MyClientApp.Secret.Sha256())
    }
},

Where:

MyClientApp.Id = test.client
MyClientApp.Uri = https://testclient.trx.com
MyClientApp.Name = My Test Client

The Access Token will expire in 3600 seconds (1 hour)

The Identity Token will expire in 300 seconds (5 minutes),

The Refresh Token (Absolute) will expire in 5 years

Is this the correct way to define a Client that meets my requirements?

Requirements:

User Signs in (authenticates) one time

User will remain signed in without the session expiring in 5 years

User will need to enter their credentials again after 5 years

I'd appreciate any help

Thank You

Eric Bergman
  • 1,453
  • 11
  • 46
  • 84
  • 1
    I am assuming your "user" is not a human being, rather another application or software trying to access protected resource. – TejSoft Nov 01 '18 at 06:06
  • @TejSoft My users are a human being who login into a SPA AngularJS Client, using the oidc-token-manager.js client to request tokens from the server, I just read that Refresh Tokens might not be a good idea for SPA/JS-based apps like AngularJS apps not sure why, basically I want to login with a user an display a with stats that keep updating on the screen forever and for that I don't want my session to expire, I was reading that long-lived reference tokens might be a better option. – Eric Bergman Nov 02 '18 at 02:01

1 Answers1

2

So looking over this it looks like it is a correct set up for IdentityServer3 to get the results you are looking for.

in IS4 you would AllowOfflineScope and set GrantType - in IS3 thats the Flow and AllowAccessToAllScopes that you have set, the lifetimes look fine - should resolve a new access token once ever hour and the refresh token will do that for 5 years.

Edit: With additional info given about using AngularJS in a SPA this changes things, prior to version 4.3 of Angular of seems that refresh tokens are not supported, after 4.3 you can use an HttpInterceptor to utilize refresh tokens.

In regards to Flow of the client, an SPA can only use the Implicit type.

.

Using oidc-token-manager and silent renew:

As you mention using the oidc-token-manager one option would be to use the Silent renew feature and configuring the ExpireTimeSpan of CookieOptions within IdentityServer - this allows the single page app to silent renew the session based on a cookie on the client - the only down side is of course if the client clears their cookies it will then require log in again.

Part 3 of this IdentityServer tutorial has details on setting up a silent-renew and all that should be required is extending the cookie lifetimes.

.

Using HttpInterceptors with refresh tokens:

The also mentioned HttpInterceptor that is supported in 4.3+ of AngularJS is something that I dont really have experience with using - though there are many guides up and about for implementing refresh tokens with it Like this example.

Gibbon
  • 2,633
  • 1
  • 13
  • 19
  • I have an angularjs client that uses the oidc-token-manager.js library to request tokens from identity server, the problem is that the refresh token is not being returned for some reason I did specify a response_type of code id_token token and scope of offline_access I read that Refresh Tokens are not be a good idea for SPA/JS-based apps like AngularJS apps not sure why, basically I want to login with a user an display a with stats that keep updating on the screen forever and for that I don't want my session to expire, I was reading that long-lived reference tokens might be a better option – Eric Bergman Nov 02 '18 at 02:09
  • @EricBergman Thanks for the additional info, I've just arrived at work but sometime today once i've finished I can try setting up a quick AngularJS app and testing it further. Have not really used IdentityServer with an AngularJS app before so i'm not entirely sure on what the issue would be without doing some testing. Will add more details once I've had more of an in depth test :) – Gibbon Nov 02 '18 at 08:28
  • @EricBergman Extra detail up on two possible methods (depending on which version of AngularJS youre using) - hope this helps :) – Gibbon Nov 02 '18 at 21:18