0

I have a requirement to expire the session after 10 minutes of inactivity of the application and send them to the authentication page. I am using Asp.net core 3.0 with angular 9 as SPA and in build Identity server 4.

The angular application checks the JWT token for validation, however, the angular app has no link with the session. What is the best way to solve this issue?

The configuration I did for the identity server

services.AddIdentityServer(options =>
                {
                    options.UserInteraction.ErrorUrl = "/Identity/error";

                    options.Events.RaiseErrorEvents = true;
                    options.Events.RaiseFailureEvents = true;
                    options.Events.RaiseInformationEvents = true;
                    options.Authentication.CookieAuthenticationScheme = IdentityConstants.ApplicationScheme;
                    options.Authentication.CookieLifetime = TimeSpan.FromMinutes(10);
                    options.Authentication.CookieSlidingExpiration = true;
                })
                .AddSigningCredential(signingCert)
                .AddInMemoryIdentityResources(IdSvrConfig.IdentityResources)
                .AddInMemoryClients(IdSvrConfig.Clients)
                .AddInMemoryApiResources(IdSvrConfig.Apis)
                .AddAspNetIdentity<ApplicationUser>()
                .AddProfileService<AspNetIdentityProfileService>();

Setting the below configuration should work, but it is not working

options.Authentication.CookieLifetime = TimeSpan.FromMinutes(10);
options.Authentication.CookieSlidingExpiration = true;

Also tried the below code

services.AddAuthentication().AddCookie(options =>
                {
                    options.ExpireTimeSpan = TimeSpan.FromMinutes(10);
                    options.SlidingExpiration = true;
                });

I have removed the remember me checkbox from the login page of the Identity server and in the controller, I have set the value to false as below

var result = await _signInManager.PasswordSignInAsync(Input.Email, Input.Password, false, lockoutOnFailure: true);

In the browser dev console, I can see the below cookies

enter image description here

Angular

 public async completeSignIn(url: string): Promise<IAuthenticationResult> {
    try {
      
      await this.ensureUserManagerInitialized();

      const user = await this.userManager.signinCallback(url);
      
      this.userSubject.next(user);
      return this.success(user && user.state);
    } catch (error) {
      console.log('There was an error signing in: ', error);
      return this.error('There was an error signing in.');
    }
  }

The problem is that when the application is inactive for 10 minutes it doesn't redirect the user to the login page. Even if I close the browser and reopen it goes directly to the application without login process.

San Jaisy
  • 15,327
  • 34
  • 171
  • 290
  • 1
    You've described what you were trying to do, you then describe some things you've set up, and then... completely fail to describe what *problem* you have. – Damien_The_Unbeliever Aug 13 '21 at 14:42
  • 3
    "Activity" as far as the server is concerned, is *requests*, not "reading page contents" or "filling in a form". Are you very sure about those 10 secs? – Hans Kesting Aug 13 '21 at 14:45
  • @Damien_The_Unbeliever upadated the question with problem at the end of the section – San Jaisy Aug 13 '21 at 14:58
  • @HansKesting it suppose to be 2 minutes, but to check the functionality I am making it 10 seconds for now – San Jaisy Aug 13 '21 at 14:58
  • I'm missing some information to answer correctly on this question. Which flow are you using? And how is your Angular app configured? Also what is the lifetime of your JWT token? – ErazerBrecht Aug 14 '21 at 21:19
  • @ErazerBrecht I have the following configuration AccessTokenLifetime = 300, IdentityTokenLifetime = 300, AllowedGrantTypes = GrantTypes.Code . The angular application is using the oidc-client-js library to communicate with the identity server. The flow is Authorization code – San Jaisy Aug 15 '21 at 01:47
  • @ErazerBrecht My problem is this https://stackoverflow.com/questions/57607178/log-out-user-when-idle-using-identityserver4-oidc-client-js-in-angular but I haven't found the solution till yet – San Jaisy Aug 15 '21 at 01:54

0 Answers0