Should OIDC middleware be refreshing a `code id_token` when close to expiry?

[nbevans]

Setting the UseTokenLifetime to false gives the cookie a really long lifetime and seemingly the exp is no longer honoured? So the token has expired (as they're only 60-90mins in duration) from AAD.

Setting UseTokenLifetime to true makes the cookie expire at the same time as the token - but if the user is still using the web app they get kicked out to the logon screen. Shouldn't it be auto-refreshing the token when its >50% into its lifetime?

It's all a bit confusing the way expiry works on this thing.

[Tratcher]

The OIDC token is used to log into your app. However once you're logged in you are then working with the local cookie auth, not the token. When UseTokenLifetime is false the lifetime is configured using CookieAuthenticationOptions, adjust it as you see fit. This cookie will auto-renew locally while they're active, it won't check with OIDC server until a new login is needed (e.g. they signed out or went idle and expired).

When UseTokenLifetime is true then the cookie lifetime is fixed to the token lifetime, which tend to be short (1h), and there is no auto re-new. When it expires they will be sent back to the OIDC server for a fresh token. If they're still current on the OIDC server then that new token can be obtained automatically, otherwise they'll be prompted. The redirect happens regardless.

[nbevans]

Okay so does this mean that the RefreshToken never gets used by this middleware?

[Tratcher]

No it doesn't.