How to disable refresh token using angular-auth-oidc-client and openiddict?

Question

I am using angular-auth-oidc-client lib with openiddict as identity server:

openiddict config:

.AddServer(options =>
   {
       // Enable the authorization, logout, token and userinfo endpoints.
       options.SetAuthorizationEndpointUris(
                 openIddictConfig.AuthorizationEndpointUris)
               .SetLogoutEndpointUris(openIddictConfig.LogoutEndpointUris)
               .SetTokenEndpointUris(openIddictConfig.TokenEndpointUris)
               .SetAccessTokenLifetime(TimeSpan.FromSeconds(10))
               .SetIdentityTokenLifetime(TimeSpan.FromSeconds(10))
               .SetUserinfoEndpointUris(openIddictConfig.UserinfoEndpointUris);

       // Mark the "email", "profile" and "roles" scopes as supported scopes.
       options.RegisterScopes(Scopes.Email, Scopes.Profile, Scopes.Roles);
       options.SetAccessTokenLifetime(TimeSpan.FromSeconds(10))
               .SetIdentityTokenLifetime(TimeSpan.FromSeconds(10));
       // Note: this sample only uses the authorization code flow but you can enable
       // the other flows if you need to support implicit, password or client credentials.
       options.AllowAuthorizationCodeFlow().RequireProofKeyForCodeExchange();
       //options.AllowRefreshTokenFlow();

       // Register the signing and encryption credentials.
       options.AddDevelopmentEncryptionCertificate()
               .AddDevelopmentSigningCertificate();

       // Register the ASP.NET Core host and configure the ASP.NET Core-specific options.
       options.UseAspNetCore()
               .DisableTransportSecurityRequirement()
               .EnableAuthorizationEndpointPassthrough()
               .EnableLogoutEndpointPassthrough()
               .EnableTokenEndpointPassthrough()
               .EnableUserinfoEndpointPassthrough()
               .EnableStatusCodePagesIntegration();

       // Encryption and signing of tokens
       options
       //    .AddEphemeralEncryptionKey()
       //    .AddEphemeralSigningKey()
           .DisableAccessTokenEncryption();
   })

Angular config:

getOpenIDConfiguration(): OpenIdConfiguration {
  return {
   authority: this.oidcConfig.authority,
   clientId: this.oidcConfig.clientId,
   redirectUrl: this.oidcConfig.redirectUrl,
   postLogoutRedirectUri: this.oidcConfig.postLogoutRedirectUri,
   scope: 'openid profile email ',
   responseType: 'code',
   silentRenew: false,
   useRefreshToken: false,
   logLevel: LogLevel.Debug,
  }
}

NB: with this configuration when the token lifetime is expired there is a refresh token.

All I need is to disable the refresh token and set the expired lifetime to the token finally how to implement an expired token handler and log out? Thank you guys for your help.

Wouldnt you just have to remove .AllowRefreshTokenFlow()? I see you don't have it active, but there is nothing indicating the refresh token flow being active — Stanley, Dec 21 '22 at 14:44
i remove it but she still refresh token, my problem is all refresh token is disable on back and front but the application still refresh token when it's expired. — karim chelly, Dec 22 '22 at 06:56
This may be a shot in the dark, but try with a clean database if possible, I've had issues where the database has not updated the clients permissions and settings since the initial migration. — Stanley, Dec 22 '22 at 07:59
i think every think is okay on database : [1]: https://i.stack.imgur.com/ijuxQ.png — karim chelly, Dec 22 '22 at 10:23
@Stanley i delete the databse and create new one with the new configuration but hte problem persist so if you have some ideas — karim chelly, Dec 22 '22 at 10:29
I'm fairly new to Openiddict aswell, but i can take a deeper look. Do you have a public repository? Can i see your response from the server and the definition of your client in the code? — Stanley, Dec 22 '22 at 14:55

How to disable refresh token using angular-auth-oidc-client and openiddict?

0 Answers0