0

Most of the questions I found here on SO have the opposite problem - i.e. the session does not slide. My problem is that it never seems to stop.

The only way I am able to get automatically logged out for an expired session is if I make the window absolute (SlidingExpiration = false).

I'm using IdentityServer 4 with ASP.NET Identity for the backing user store.

The configuration of the cookie which I currently have is:

services.AddIdentity<IdpUser, IdentityRole<int>>()
    .AddEntityFrameworkStores<IdpDbContext>()
    .AddDefaultTokenProviders();

// Note ASP.NET identity uses a cookie called "Identity.Application"
services.ConfigureApplicationCookie(options =>
{
    options.ExpireTimeSpan = TimeSpan.FromMinutes(15); // for testing purposes
    options.SlidingExpiration = true;
});

Our client is a Vuejs app using oidc-client.js to manage the tokens.

I've reduced all of the lifetimes in the client-configuration down to 300s (including the access token). So, it gets a new access_token every 300s.

I would expect that if I logged in, walked away for more than 15 minutes and came back, I would have been logged out. But this is not the case. It keeps getting new tokens.

Even if I refresh the whole page, I am still not logged out.

Following further investigation, I believe the constant polling which oidc-client.js does is extending the sliding window for the authentication cookie. This is a theory based on observed behavior. I increased the duration of the access_token lifetime such that it was longer than the authentication cookie. In this case, the user was logged out after the auth cookie expired. Presumably because the client did not request another access_token in that time (and thereby extending the window).

So it seems that the sliding window will keep sliding until the SlidingRefreshTokenLifetime is reached, which defaults at around 15 days.

Is reducing the SlidingRefreshTokenLifetime down to something like 3 hours likely to be my answer?

Thanks

onefootswill
  • 3,707
  • 6
  • 47
  • 101
  • Probably unrelated but you should always set an application specific name for the cookie (options.Cookie.Name I think) so that you don't have multiple unrelated cookies with the same default name (Identity.Application). – Jamie Ide May 17 '21 at 12:55

1 Answers1

3

My guess is you are overriding it unknowingly since its poorly documented, double check if you are using the Token Lifetime so you are not overriding it. SlidingExpiration is on your Cookie middleware only.

To fix it, try to set UseTokenLifetime = false;

Double check/set it up both in openIdOptions on client and CookieOptions on IdentityServer middleware.

Update/Response to comment:

@onefootwill, yes please these are very much part and parcel of IdentityServer4 & Asp NET Core 2,3 & 5, please look at the official documentation picture below

Identity Server 4

IdentityServer Official Documentation Sliding Expiration

Microsoft

Microsoft Official Documentation Token JWT Lifetime ASP Core

MSDN ref

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions    
{
    ...
    UseTokenLifetime = false, 
    ...    
});

Client

For JWT did you setup your client with the access the refresh token, there are two make sure you configure those as well. Refresh token

var idsClient = new Client
                {
                    ClientName = configuredOption.Name,
                    ClientId = configuredOption.ClientId,
                    RequireConsent = false,
                    RequirePkce = false,
                    AllowOfflineAccess = true,
                    AllowAccessTokensViaBrowser = true,
                    // Double check how you configure ** RefreshTokenUsage 
                      // you can do one time or other options
                    RefreshTokenUsage = TokenUsage.OneTimeOnly,
                    RefreshTokenExpiration = TokenExpiration.Sliding,
                    AccessTokenLifetime = new TimeSpan(2,0,0).TotalSeconds,
                    //AccessTokenLifetime = 7200, //2 hours
                    AbsoluteRefreshTokenLifetime = xx, // set this up
                    SlidingRefreshTokenLifetime = yy // set this up
                };

Update 2 for oidc-client-js should work in your vue.js

Out of the box I don't think its there, but you can implement/make user re-login after a time of inactivity

In your oidc-client-js configure automaticSilentRenew to false & Setup your UserSsoLifetime good sample code/question and quick startUI from github

  • Implement your own logic to indicate user inactivity and call SigninSilent API, sample code. After the inactivity to get user to user to expire/re-login:

  1. automaticSilentRenew = false

  2. configure this UserSsoLifetime in Identity server configuration "The maximum duration (in seconds) since the last time the user authenticated...."

oidc client management

Transformer
  • 6,963
  • 2
  • 26
  • 52
  • I've searched my projects and am not using that at all. Further to that, I don't think that actually exists anymore in the modern API. I could not find it in any of the options objects. On my API, I'm using the AddJwtBearer extension which is used fluently after the call to services.AddAuthentication . – onefootswill May 24 '21 at 22:36
  • 1
    @onefootswill please see the documentation I attached - its *very much part and parcel* of the _modern API_ please try to add / code and configure it, it works for me with these configured.. make sure you hard delete the cache and if its still not working we can try something else – Transformer May 24 '21 at 23:41
  • Firstly, I acknowledge I was wrong that the API you mentioned was not current. Otherwise, would you use `UseOpenIdConnectAuthentication` for a SPA? My client app is a Vuejs application which communicates with the Idp via `oidc-client.js`. So, the ASP.NET project is an API only. That's why I was using AddJwtBear. No cookie gets sent to the API. The cookie is only relevant to the Vue.js app and its relationship with the IDP via the Auth Code flow. – onefootswill May 25 '21 at 00:23
  • @onefootswill got it... try the above in `oidc-client.js` its piece meal but hope it gives you the client token and sample code to help. I am going to have to clean up my answer :) – Transformer May 25 '21 at 03:11
  • Cheers. I'll check out that UserSsoLifetime property. I have to make sure this works with AD users as well. Sometimes the users will be stored using ASP's Identity framework and sometimes they will be pulled from local AD using LDAP. – onefootswill May 25 '21 at 03:51
  • dude @onefootswill your list keeps evolving!!! put up a separate question please :) – Transformer May 25 '21 at 03:53
  • apologies for that. I only just thought of the AD aspect. Having said that, I'd like to get it working for the Identity aspect first, as that it the "low hanging fruit". – onefootswill May 25 '21 at 03:55
  • sure, please do upvote if its been helpful or works! – Transformer May 25 '21 at 03:58