search

damienbod / AspNetCoreHybridFlowWithApi

Different ASP.NET Core applications using OpenID Connect Hybrid flow Code Flow, Code Flow with PKCE, JWT APIs, MFA examples
https://damienbod.com/2018/02/02/securing-an-asp-net-core-mvc-application-which-uses-a-secure-api/
MIT License
364 stars 71 forks source link

SlidingExpiration? #10

Closed nickalbrecht closed 2 years ago

nickalbrecht commented 4 years ago

Was going through the WebMVCClient example and the auth token caching implementation, when I found that the ApiTokenCacheClient is offsetting the expiration by the number of seconds in tokenResponse.ExpiresIn and also setting a sliding expiration of 1 day on top of that. Conversely, the ApiTokenInMemoryClient is only offsetting by the tokenResponse.ExpiresIn.

Is the expiration not a fixed point in time after being offset by the ExpiresIn value? Does sliding expiration do anything in this case? I'm assuming the token will be considered expired after the ExpiresIn has lapsed?

nickalbrecht commented 4 years ago

I misunderstood the code a little regarding the expiration. The AccessTokenItem.ExpiresIn is just a plain old date object of when it's no longer valid. The expiration for the CacheEntry is still set separately, so theDistributedCacheEntryOptions is still needed, but shouldn't it be using SetAbsoluteExpiration()?