aspnet / AspNetKatana

Microsoft's OWIN implementation, the Katana project
Apache License 2.0
968 stars 334 forks source link

Should OIDC middleware be refreshing a `code id_token` when close to expiry? #517

Open nbevans opened 11 months ago

nbevans commented 11 months ago

Setting the UseTokenLifetime to false gives the cookie a really long lifetime and seemingly the exp is no longer honoured? So the token has expired (as they're only 60-90mins in duration) from AAD.

Setting UseTokenLifetime to true makes the cookie expire at the same time as the token - but if the user is still using the web app they get kicked out to the logon screen. Shouldn't it be auto-refreshing the token when its >50% into its lifetime?

It's all a bit confusing the way expiry works on this thing.

Tratcher commented 11 months ago

The OIDC token is used to log into your app. However once you're logged in you are then working with the local cookie auth, not the token. When UseTokenLifetime is false the lifetime is configured using CookieAuthenticationOptions, adjust it as you see fit. This cookie will auto-renew locally while they're active, it won't check with OIDC server until a new login is needed (e.g. they signed out or went idle and expired).

When UseTokenLifetime is true then the cookie lifetime is fixed to the token lifetime, which tend to be short (1h), and there is no auto re-new. When it expires they will be sent back to the OIDC server for a fresh token. If they're still current on the OIDC server then that new token can be obtained automatically, otherwise they'll be prompted. The redirect happens regardless.

nbevans commented 11 months ago

Okay so does this mean that the RefreshToken never gets used by this middleware?

Tratcher commented 11 months ago

No it doesn't.