Closed Exagram closed 10 months ago
Try setting UseTokenLifetime to false. The OAuth tokens themselves often have a short lifetime even if the session is still valid. https://github.com/aspnet/AspNetKatana/blob/77497960c0adafcf2adaed1dc008f020595b28ab/src/Microsoft.Owin.Security.OpenIdConnect/OpenIdConnectAuthenticationOptions.cs#L298-L303
How does CookieAuthentication and OpenIdConnectAuthentication work under the hood? Any resources?
That's a much longer discussion 😁. Did you have a more specific question?
You mean to tell me UseTokenLifetime=true (default)
overwrites my Web.config sessionState.timeout=1800
hard-coded value with the one provided by Azure? Why would Microsoft set this boolean to true as default if the lifetime is very short?
A random blogger had a similar situation and discovered UseTokenLifetime=false
didn't help out:
AuthenticationTicket.Properties.ExpiresUtc
is nullHis solution was to keep UseTokenLifetime = true
and overwrite some AuthenticationTicket
properties:
// Startup.cs, on SecurityTokenValidated
// By default, OWIN copies the identity token lifetime onto the authentication ticket (UseTokenLifetime = true).
// https://docs.microsoft.com/en-us/previous-versions/aspnet/mt180971(v%3Dvs.113)
// IdentityServer4's default identity token lifetime is 5 minutes without refresh.
// https://docs.identityserver.io/en/dev/reference/client.html#token
// We want to have instead: 30 minutes plus refresh.
var sessionSection = (SessionStateSection) WebConfigurationManager.GetSection("system.web/sessionState");
context.AuthenticationTicket.Properties.ExpiresUtc = DateTimeOffset.UtcNow + sessionSection.Timeout;
context.AuthenticationTicket.Properties.AllowRefresh = true;
My colleague mentioned that the last line AllowRefresh = true
fixed the issue for us because it was mysteriously set to AllowRefresh = false
.
Note: I would like to gain a deeper knowledge on how these systems work rather than just getting it right:
Web.config's sessionState has no effect on Owin auth. Browser session and user session are distinct features.
Why would Microsoft set this boolean to true as default if the lifetime is very short?
For 'security', but after similar feedback we changed the default in the next version (AspNetCore).
14 days is the default for cookie auth, controlled by CookieAuthenticationOptions.ExpireTimeSpan. You're already updating that to 30m.
Goal: Add sliding expiration to my ASP.NET MVC web app (legacy) using
OpenIdConnect
connected to Azure B2C custom profile.App Code:
App Web.config:
Azure B2C Code:
Observations:
Understanding:
AuthenticationTicket
in a cookie due to CookieAuthentication.Questions: