leastprivilege
commented
10 years ago They don't have to re-authenticate as long as the authentication cookie with IdSrv is still valid. The browser has to do the redirect dance, though.
Closed jkrlin closed 10 years ago
leastprivilege
commented
10 years ago They don't have to re-authenticate as long as the authentication cookie with IdSrv is still valid. The browser has to do the redirect dance, though.
jkrlin
commented
10 years ago hmmm... Either I'm doing something wrong or this quite doesn't work with a custom STS.
1) https://myidsrv.com/issue/hrd?wa=wsignin1.0&wtrealm=urn%3aMyRelyingParty&wctx=rm%3d0%26id%3dpassive%26ru%3d%252f&wct=2013-09-24T23%3a34%3a09Z&whr=MyHomeRealm 2) After the redirects I sign into the STS, authenticate and am redirected to my relying party. 3) After some time I again hit the URL from 1. above but again I am brought to the STS login page. A new token is not issued unless I sign in again.
So... does the STS need to have some special logic to handle this? Also, we are using token cashing with the bootstrap method.
leastprivilege
commented
10 years ago The HRD endpoint is only a gateway - authentication is handled at the corresponding STS. The IdP needs to establish and maintain the logon session
Is there a way to refresh the token if it is still being used? Ideally we would like to have tokens with a short lifespan (e.g. 30 minutes) but don't want users to have to re-authenticate when they expire. Is there a way to ask IdentityServer for a refreshed token or another option?
Thanks
John K.