Closed obrungot closed 4 weeks ago
RolandGuijt
commented
1 month ago The lifetimes of the session cookie and the tokens don't have anything to do with each other. In addition the refresh token is used to refresh the access token, not the session.
So we have to focus on how the session is configured here. Can you please share how the cookie scheme (CookieAuthenticationDefaults.AuthenticationScheme) is setup? It might be in the ConfigureAuthentication method.
obrungot
commented
1 month ago The server (shared hosting) was set to shutdown on 5 minutes user idle time, which probably caused the issue (alongside with me not grasping fully the session cookie and the tokens). Increasing the idle time, resolved the my immediate issue having the user being forced to sign in every 5 minutes of idle time.
I guess storing tokens in persistent cookies having them persists even if the session is ended is bad practice (security). Btw, love your courses on PluralSight 👍
Here's the setup
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
options.Events.OnSigningOut = async context =>
{
await context.HttpContext.RevokeRefreshTokenAsync();
};
})
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.Authority = builder.Configuration.GetSection("IDP:Authority").Get<string>();
options.ClientId = "blazor.webapp.authentication";
options.ClientSecret = "secret";
options.GetClaimsFromUserInfoEndpoint = true;
options.MapInboundClaims = true; //May need to set to true if you are using custom claims
options.TokenValidationParameters.NameClaimType = JwtRegisteredClaimNames.Name;
options.TokenValidationParameters.RoleClaimType = "role";
options.ResponseType = OpenIdConnectResponseType.Code;
options.SaveTokens = true;
//options.Scope.Clear();
options.Scope.Add(OpenIdConnectScope.OfflineAccess);
options.Scope.Add(OpenIdConnectScope.OpenIdProfile);
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.CallbackPath = new PathString("/signin-oidc");
options.SignedOutCallbackPath = new PathString("/signout-callback-oidc");
options.RemoteSignOutPath = new PathString("/signout-oidc");
});
builder.Services.AddOpenIdConnectAccessTokenManagement();
builder.Services.AddDistributedMemoryCache();
builder.Services.AddCascadingAuthenticationState();
builder.Services.AddScoped<AuthenticationStateProvider, PersistingAuthenticationStateProvider>();
builder.Services.AddAuthorization();
builder.Services.AddHttpClient("api", options =>
{
options.BaseAddress = new Uri(builder.Configuration["BaseAddress"]);
});Thanks! Appreciate it. I have the feeling we can close this issue. If you have something to add please reopen.
Which version of Duende IdentityServer are you using? 7
Which version of .NET are you using? 8
Describe the bug I've set up the following,
When logging in I get authenticated and able to retrieve data from the API. All is good. The problem is that I get logged out if the user is idle for about 5 minutes.
I've set up offline_access for the use of reqest token, but whatever changes I try - I still get logged off having 5 min of idle time.
I've even set the access token lifetime to 2 hours on the IDP config as a workaround, but that seems to have no effect. A little bit of idle time and I'm routed back to the login page of the IDP.
AccessTokenLifetime = 7200
IdentityTokenLifetime = 7200
Not quite sure where to look anymore. Anyone who can shed some light on what I am missing?
Here's some of the most relevant setup
--------- Duende IDP Config --------------------------