search

skoruba / Duende.IdentityServer.Admin

The administration for the Duende IdentityServer and Asp.Net Core Identity ⚡
Apache License 2.0
549 stars 194 forks source link

Access token life time #151

Open Milad-Rashidi-Git opened 1 year ago

Milad-Rashidi-Git commented 1 year ago

I have configured a test client for the STS project.

When I change the value of AccessTokenLifetime in the database for this client to 60 seconds, the expiration time of the issued jwt token correctly changes to 60 seconds, but in fact, using this token, I can access the secured API after 60 seconds (after its expiration time).

This can happen up to 360 seconds, and I don't know where those extra 300 seconds are added to the token's expiration time.

Milad-Rashidi-Git commented 1 year ago

Should the client be configured to change the default clock skew value to something different than 5 minutes?

apetrut commented 1 year ago

@Milad-Rashidi-Git I got the same issue. I have configured the token to expire after 60 seconds, but it expires after roughly 420 seconds (7 minutes). Have you managed to find a solution?

image

@skoruba Can you confirm which property is taken into consideration when expiring a token?

Milad2017 commented 1 year ago

This commit adds the option to adjust ClockSkew on the API Resource side.

You can set its default value to less than 5 minutes (default time), but you should be careful about performance since the API Resource will interact with the IDP at the specified interval.

apetrut commented 1 year ago

@Milad-Rashidi-Git So the clock skew gets added to whatever value is set in the Access Token Lifetime field?

What about the Authorization Code Lifetime value? How is that being used?

Milad2017 commented 1 year ago

@apetrut Even if you set the AccessTokenLifetime to 1 second, it will not work until the API Resource interacts with the IDP to validate the token that it has already checked. In this example, if we set AccessTokenLifetime to 1 second if we set ClockSkew to 30 seconds, the requests with the token to the API Resource will receive a 401 error after 31 seconds.

The usage of the AuthorizationCodeLifetime is different from the AccessTokenLifetime. For more information about Authorization Code Lifetime, kindly refer to this article.

apetrut commented 1 year ago

@Milad-Rashidi-Git thank you for your answer. I expect that the default value set by Microsoft for the clock skew (300 seconds) is to avoid performance issues caused by too many interrogation of the IDP server in a short amount of time.