1

I am using MVC client with IdentityServer3.AccessTokenValidation and Identity Server 4 as my IDP app.

I have added cookie timeout at below places, however seems like session never expires and doesn't automatically logout the user -

In MVC client -

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = "Cookies",
    ExpireTimeSpan = new TimeSpan(0, 20, 0, 0)
});

If I set time less than 20 hours, authorization request runs for infinite loop

In IDP app, 

services.AddIdentityServer(
    opt => new IdentityServer4.Configuration.IdentityServerOptions
    {
        Authentication = new IdentityServer4.Configuration.AuthenticationOptions()
        {
            CookieLifetime = TimeSpan.FromSeconds(60)
        }
    }

In IDP app,

.AddCookie("Cookies", opt => {
    opt.ExpireTimeSpan = TimeSpan.FromSeconds(60);
    opt.Cookie = new CookieBuilder() { Expiration = new TimeSpan(0,0,0,60) };
    opt.Events.OnSigningIn = (context) =>
    {
        context.CookieOptions.Expires = DateTimeOffset.UtcNow.AddSeconds(60);
        return Task.CompletedTask;
    };
})
Simply Ged
  • 8,250
  • 11
  • 32
  • 40
ravneet singh
  • 21
  • 1
  • 3

1 Answers1

1

This is my interpretation of the general approach to this:

The intent of OIDC (via the session management spec) is that the IDP session becomes the "master" and thus when you sign out of it all your client app sessions should also end (via front or back channel logout and the client side session monitoring mechanism).

This does not preclude the client apps from having their own rules around how often a user must interactively authenticate or what method(s) must be used. To control this from the client you can use the prompt and max_age authorize endpoint parameters and subsequent checking of the auth_time claim in the id_token that is returned.

In this setup it makes sense in my opinion to have a persistent cookie for the IDP that's fairly long lived (and renewed whenever the user authenticates interactively) and a session (i.e. removed when browser is closed) cookie in the client app.

For all this to work you must use a recognised grant type - typically hybrid for a serverside application - as only then do you have access to the data and features that enable this stuff.

Check out these specs:

mackie
  • 4,996
  • 1
  • 17
  • 17
  • I am using Implicit flow within client MVC app, using cookie expiration gives me sliding functionality. I actually implemented by this approach by setting the expiration. My question is still what is the best way to do it using cookies or else how one can do subsequent checking ? I was using session heartbeat but that makes my client app to never expire the session. – ravneet singh Nov 22 '18 at 19:36