Consider to decrease access token lifetime for the Angular & Blazor UI

abpframework / abp

Open-source web application framework for ASP.NET Core! Offers an opinionated architecture to build enterprise software solutions with best practices on top of the .NET. Provides the fundamental infrastructure, cross-cutting-concern implementations, startup templates, application modules, UI themes, tooling and documentation.

https://abp.io

GNU Lesser General Public License v3.0

12.69k stars 3.4k forks source link

Consider to decrease access token lifetime for the Angular & Blazor UI #5253

Open hikalkan opened 3 years ago

hikalkan commented 3 years ago

We've implemented refresh tokens with the v3.1. So, we can decrease access token lifetime. Current value is 1 year! 😄

We will do it for the startup template, anyone can do it now for their application, in the database (IdentityServerClients table) and in the data seed code.

Note: This can be a problem since refresh token was not implemented for other clients, like Blazor.

hikalkan commented 3 years ago

Also, it would be better to equalize id token and access token life times.

olicooper commented 3 years ago

Will the values be set to the defaults found in the IDentityServer docs? e.g.

SlidingRefreshTokenLifetime = (int)TimeSpan.FromDays(15).TotalSeconds,
AbsoluteRefreshTokenLifetime = (int)TimeSpan.FromDays(30).TotalSeconds,
AccessTokenLifetime = (int)TimeSpan.FromHours(1).TotalSeconds,