0

I need to change the token on the client when changing user data on the server. For example, after changing some data on the server, I do a re-login. I see these changes, but the web application does not update this data automatically, that is, to use them, I need to exit the application and log in again to receive a new token. The documentation for IdentityServer 4 says that the token update option does not work for Implicit flow. But probably there are some ways to update the token (is it possible to do this by setting a timeout or something else)?

IdentityServer4 settings for client:

// React AOO Client
            new Client
            {
                ClientId = "airvector",
                ClientName = "Airvector Ordering Online",
                //AccessTokenType = AccessTokenType.Reference,
                //AccessTokenLifetime = 30,
                //IdentityTokenLifetime = 10,
                AllowedGrantTypes = GrantTypes.Implicit,
                AllowAccessTokensViaBrowser = true,
                RequireConsent = false,
                //RefreshTokenUsage = TokenUsage.OneTimeOnly,
                AccessTokenLifetime = 3600 * 24,

                RedirectUris = {
                    "http://localhost:3000/callback"
                },
                PostLogoutRedirectUris = { "http://localhost:3000/login" },
                AllowedCorsOrigins =     { "http://localhost:3000" },

                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "aoo_api",
                    "Schedules.API",
                    "Ordering.API",
                    "Catalog.API"
                }
            },

userManager in React:

import { createUserManager } from 'redux-oidc';
import { UserManagerSettings } from 'oidc-client';
const userManagerConfig: UserManagerSettings = {
  client_id: 'airvector',
  redirect_uri:  `${window.location.protocol}//
  ${window.location.hostname}${window.location.port ? 
  `:${window.location.port}` : ''}/callback`,
  response_type: 'token id_token',
  scope:"openid profile aoo_api Schedules.API Ordering.API Catalog.API",
  authority: 'http://localhost:5000', // DEV
  silent_redirect_uri: 'http://localhost:3000/login',
  automaticSilentRenew: true,
  filterProtocolClaims: true,
  loadUserInfo: true,
  monitorSession: true
};
const userManager = createUserManager(userManagerConfig);
export default userManager;
Denis Lopatin
  • 51
  • 8
  • Is it necessary that the data is part of the token? –  Jul 05 '19 at 13:48
  • @RuardvanElburg of course, I need all info with roles – Denis Lopatin Jul 05 '19 at 13:57
  • My question is not if you need the data, but whether the information should be part of the token. Because claims are not supposed to change frequently. If that's the case, you should consider to use an alternative source for the information. Are you familiar with [this article](https://leastprivilege.com/2016/12/16/identity-vs-permissions/)? –  Jul 05 '19 at 14:15
  • @RuardvanElburg Perhaps, but there is not much data, why create extra logic when everything can be kept in one place? In addition, the session can be very long, and we want to change the rights of users and immediately apply them in all current sessions. – Denis Lopatin Jul 05 '19 at 14:43
  • @RuardvanElburg Thanks for the article, we will study this question more carefully. (I work on the basis of the requirements of the director :)) – Denis Lopatin Jul 05 '19 at 14:47
  • Given your previous comment you should take a look at [PolicyServer](https://policyserver.io/), the follow up of the article. –  Jul 05 '19 at 15:25

0 Answers0