Identityserver4: How to set identity token and access token timeout, my application do not redirect to logout when access token exipres

This seems to be a general question about IdentityServer - not a bug report or an issue.

Please use StackOverflow for that. This has the advantage that questions and answers can be easily found by search engines, and that there are more people answering questions than just us.

For IdentityServer3
https://stackoverflow.com/questions/tagged/?tagnames=identityserver3&sort=newest

For IdentityServer4
https://stackoverflow.com/questions/tagged/?tagnames=identityserver4&sort=newest

For commercial support options - visit
https://identityserver.io

Agreed, I searched a lot, found some help but it not works in latest version of identity server, now I just want to know how to set Identity Token and Access Token time out in latest version of identity server, if you can help me , I will be very thankful.

Both are settings on the client object.

Thanks I got it, They are setup in identity server project, I was trying to set on client project.

Dude, do you still here? How did you solve that?

new Client
{
ClientId = "WebAppId",
ClientName = "Web Application",
RequireConsent = false,
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
ClientSecrets = new List { new Secret("secret786".Sha256()) },
//ToDo:: Get urls by environment
RedirectUris = GetClientRedirectUris(clientId, environment), //CustomMethod
PostLogoutRedirectUris = GetClientPostRedirectUris(clientId, environment), //CustomMethod
AllowedCorsOrigins = { "http://localhost:6003" },
AllowedScopes = new List
{
StandardScopes.OpenId,
StandardScopes.Profile,
StandardScopes.Email,
StandardScopes.OfflineAccess,
StandardScopes.Phone
},
//This feature refresh token
AllowOfflineAccess = true,
//Access token life time is 7200 seconds (2 hour)
AccessTokenLifetime = 7200,
//Identity token life time is 7200 seconds (2 hour)
IdentityTokenLifetime = 7200
};

Thanks

Welcome

On Tue, Aug 15, 2017 at 4:34 AM, webcrack4 notifications@github.com wrote:

Thanks

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/IdentityServer/IdentityServer4/issues/857#issuecomment-322338167,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFOwsQ9ir0IjYdlApmq46MxulpvZOc09ks5sYNmigaJpZM4MPW68
.

--
Regards
Khurram Shahzad

can i change AccessTokenLifetime at runtime?
If yes, how?

new Client
{
ClientId = "Abc",
ClientName = DEF",
RequireConsent = false,
AllowedGrantTypes =
GrantTypes.HybridAndClientCredentials,
ClientSecrets = new List { new Secret("TEST"))
},
//ToDo:: Get urls by environment
RedirectUris = "your redirect uri",
PostLogoutRedirectUris = "",
AllowedCorsOrigins = { "https://abc.com" },
AllowedScopes = new List
{
"webapi_scope",
StandardScopes.OpenId,
StandardScopes.Profile,
StandardScopes.Email,
StandardScopes.OfflineAccess,
StandardScopes.Phone
},
//This feature refresh token
AllowOfflineAccess = true,
//Access token life time is 7200 seconds (2 hour)
AccessTokenLifetime = 7200,
//Identity token life time is 7200 seconds (2 hour)
IdentityTokenLifetime = 7200
};

On Wed, Nov 8, 2017 at 2:27 AM, gummadikalyan notifications@github.com
wrote:

can i change AccessTokenLifetime at runtime?
If yes, how?

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/IdentityServer/IdentityServer4/issues/857#issuecomment-342627947,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFOwsete8Rz3QPLSJif4tDRJ4NZqlZRZks5s0MtdgaJpZM4MPW68
.

--
Regards
Khurram Shahzad

Solved using Identity Server Entity Framework.

appBuilder.Map("/core", coreApp =>
{
var context = new DatabaseContext();
var efConfig = new EntityFrameworkServiceOptions
{
ConnectionString = context.ConnectionString,
};

            // these two calls just pre-populate the test DB from the in-memory config
            ConfigureClients(Clients.Get(), efConfig);
            ConfigureScopes(Scopes.Get(), efConfig);

            var factory = new IdentityServerServiceFactory();

            factory.CorsPolicyService = new Registration<ICorsPolicyService>(new 
                                                        DefaultCorsPolicyService { AllowAll = true });

            factory.RegisterConfigurationServices(efConfig);
            factory.RegisterOperationalServices(efConfig);

            // note: this registration is a singleton
            factory.UserService = new Registration<IUserService, CustomUserService>();
            var options = new IdentityServerOptions
            {
                SiteName = "Fabric Identity Server",
                SigningCertificate = LoadCertificate(),
                Factory = factory,
                EventsOptions = new EventsOptions
                {
                    RaiseSuccessEvents = true,
                    RaiseFailureEvents = true,
                    RaiseErrorEvents = true,
                    RaiseInformationEvents = true
                },
                RequireSsl = false
            };

            appBuilder.UseIdentityServer(options);
        });

Update the "AccessTokenLifetime " database value using web api Route.

I set AccessTokenLifeTime to 3600*24*10 = 10days; but the token still expires after one day. Anyone knows why?

Use the refresh token to request a new one.
RefreshTokenUsage = TokenUsage.OneTimeOnly,
RefreshTokenExpiration = TokenExpiration.Sliding

Sorry I don't understand. Why does the token expire after one day if I set it AccessTokenLifeTime to 10 days? If AccessTokenLifeTime doesn't decide the lifetime of the access token then its name is very confusing.

AccessTokenLifetime should be in seconds.

I did set it to second e.g. 3600*24*10 seconds which is equal to 10 days.

Do a simple math and convert 10 day in to seconds and apply to AccessTokenLifetime please.

Are you saying if I set it to 20*30 then it will only set it to 20 seconds instead of 600 seconds?

Yes, You need to do the exact math before assigning AccessTokenLifetime in seconds.

I just tested. Setting TokenAccessLifeTime to 3600*24*10 does set the token expiration to 10 days so I am not sure why my supposedly unexpired access token doesn't work after 1 day...

I'll add some information which may help with your troubleshooting (as well as having a query myself).

I use IdentityServer 4 and have an ASP.NET client.

The client has the following settings in the Startup.cs

.AddCookie("Cookies", options => { options.ExpireTimeSpan = new TimeSpan(1, 0, 0); })

With this setting the client will redirect back to Identity Server after an hour. There is then a redirection back to the client and the user remains logged in. There is no prompting for the user to re-enter their credentials after the hour has expired. As I understand it Identity Server is returning a token saying that the user is still authenticated and therefore there is not a request to enter the credentials again.

What I haven't figured out is how to force a user to enter their credentials again after the expiry - in my case an hour. I thought this was controlled by setting the following properties for the Client on Identity Sever.

AccessTokenLifetime = 3600,
IdentityTokenLifetime = 3600

However, in my case, this does not result in the user having to enter their credentials again.

So I'm trying to figure out what I need to do to force the user on the client to have to enter their credentials again.

@justindrerup curious to know if you figured your issue out. Experiencing the same sort of issue and haven't been able to figure out a workaround. Thanks!

@johnsonps08 - sorry, still haven't figured it out. If you do, please share!

OIDC tokens lifetime and IdentityServer session (= the cookie which is created upon authentication) are not correlated...
You could try on the server side :
services.AddIdentityServer(options => { options.Authentication.CookieLifetime = TimeSpan.FromHours(2); })

"OIDC tokens lifetime and IdentityServer session (= the cookie which is created upon authentication) are not correlated..."

If you were to set the client signin cookie to the same name as the IdentityServer authentication cookie, which if I understand correctly, is what was implied should be done on past cookie issue threads here (see this: https://github.com/IdentityServer/IdentityServer4/issues/662 ), then you get this issue (evolution of the issue is below - oidc overwriting cookie lifespan with its own setting, then Identity Server using that lifespan:
https://github.com/aspnet/Security/issues/147
https://stackoverflow.com/questions/43416837/b2c-web-app-session-lifetime
https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapp/issues/19

Actually, I think you may experience a subset of the above issues even if the cookie isn't named the same (because now there are two cookies).

So if you were to create an immortalish cookie by setting the expiration to a year, then setting slidingexpiration to true after using the same cookie name for the client signin cookie as IdentityServer uses for authentication, does anyone know of any other setting on IdentityServer which would overwrite the expiration? This was the overall tracker for 3 subissues on cookie expiration: https://github.com/IdentityServer/IdentityServer4/issues/656

@johnsonps08 did you find a solution for this? I need to expire the cookie and prompt the user with the login. Thanks!

In case someone out there is still looking for a solution. found the solution on Stackoverflow
Simply set the OnRedirectToIdentityProvider events

options.Events.OnRedirectToIdentityProvider = context => { context.ProtocolMessage.Prompt = "login"; return Task.CompletedTask; };

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.