Question: Refresh Token Expiration settings

IdentityServer / IdentityServer2

[deprecated] Thinktecture IdentityServer is a light-weight security token service built with .NET 4.5, MVC 4, Web API and WCF.

Other

410 stars 291 forks source link

Question: Refresh Token Expiration settings #820

Closed TD49 closed 9 years ago

TD49 commented 9 years ago

We're using OAuth2's Resource Owner Credentials Grant with IdServ v2. Clients consume the OAuth2 endpoint to successfully retrieve access tokens using the OAuth2Client from your IdentityModel bits.

Recently, we enabled Refresh Tokens, which also works fine, but we have no control over its expiration. We planned to make access token expiration short while keeping refresh token long. The IdServ Admin UI provides a way to handle access token expiration (at the global or the RP level), but we didn't see a clear way to modify Refresh Token expiration.

Is there a recommended way to modify expiration short of changing data in the token's persistent storage directly?

I noticed it's supported in V3 here: https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki/Refresh-Tokens

leastprivilege commented 9 years ago

V2 has no built-in way to control refresh token lifetime.

TD49 commented 9 years ago

I understand that V2 refresh tokens usage is a one-time use only. Until we can migrate to V3 RTM in the future, I could modify local source code to allow to allow setting an absolute max lifetime programatically or at least through config.

I found the StoredGrant model in your source code. You have two static methods, one of which is a CreateRefreshToken method. Doesn't appear to be used or referenced, so couldn't trace how the "ttl" argument is set when applying what appears to be a max lifetime setting.

Is this deprecated code and I'm on the wrong track here?

leastprivilege commented 9 years ago

I actually can't remember - it is such a long time ago. You can of course change the code in any way you want. V3 will be released very soon.

TD49 commented 9 years ago

Great news re: "very soon". If V3 goes RTM by January or sooner, I have a case with higher-ups to officially begin migration away from V2 and not have to customize too much source code. I'll keep a look out for your roadmap.

brockallen commented 9 years ago

Yes, January is our target for release.

-Brock

-----Original Message----- From: "TD49" notifications@github.com Sent: ‎11/‎8/‎2014 4:26 PM To: "thinktecture/Thinktecture.IdentityServer.v2" Thinktecture.IdentityServer.v2@noreply.github.com Subject: Re: [Thinktecture.IdentityServer.v2] Question: Refresh TokenExpiration settings (#820)

Closed #820. — Reply to this email directly or view it on GitHub.=