Identityserver4: Refresh token expiration

Created on 8 Dec 2018  路  6Comments  路  Source: IdentityServer/IdentityServer4

Ok, I'm sure I am doing something wrong here setup-wise... Use case is a persistent connection that needs to live indefinitely. Everything works, and I see refresh tokens working for some amount of time, but eventually I see something like this and have to relink an account:

2018-12-08 13:17:32.287 -05:00 [Warning] Failed to find token with key "REDACTED"
2018-12-08 13:17:32.287 -05:00 [Error] Invalid refresh token
2018-12-08 13:17:32.287 -05:00 [Error] Refresh token validation failed. aborting.

The time between last usage and this one should not be crazy long, on the order of days between invocation. So I think I must have something setup incorrectly with regards to refresh tokens. The docs around sliding expirations and such aren't great, so I'm confused on what my settings should be.

Client setting only has AllowOfflineAccess turned on. No RefreshTokenUsage or expiration windows are changed from default.

I think what I need is the following

  1. Refresh token needs to have a longer expiration? Lets say 3 months just to be safe?
  2. When used, the refresh token should be replaced with a new token. I think this is RefreshTokenUsage = OneTimeOnly, but its unclear what the DEFAULT is.
  3. There should be NO absolute timeout for the grant length. I.e., assuming the service is calling on a regular basis, there shouldn't be a way for the refresh token to be considered bad due to some arbitrary cutoff (i.e., "no you can only use 5 refresh tokens before we cut you off and you have to relogin").

Sorry, the docs around this aren't really clear on this...

question
Source
picture i8beef

All 6 comments

So if I'm reading the docs right, is the DEFAULT a SLIDING refresh token (RefreshTokenExpiration = TokenExpiration.Sliding) that gets REUSED (RefreshTokenUsage = TokenUsage.ReUse) with a refresh token lifetime of 15 days (SlidingRefreshTokenLifetime)?

If so, does AbsoluteRefreshTokenLifetime's default of 30 days mean that if you login one Jan 1st, and continue to use refresh tokens staying logged in, that on Jan 31st its going to make you login again despite keeping refresh tokens flowing?

And does that mean to get what I want, I need to set AbsoluteRefreshTokenLifetime to 0 to disable that "absolute" expiration behavior? As long as refresh tokens keep being used inside of their normal expiration time, I do NOT want to force someone to reauth, because this is a service-to-service connection that needs to stay up and alive continuously.

i8beef picture i8beef on 12 Dec 2018

All set on this issue -- can we close?

brockallen picture brockallen on 24 Jan 2019
😕1

Unless you wanna tell me my assessment above is completely off, yes we can close. I'll reopen if the issue comes back, but I think it was just my settings weren't right.

i8beef picture i8beef on 24 Jan 2019

The RT behavior is absolute by default: https://github.com/IdentityServer/IdentityServer4.Storage/blob/dev/src/Models/Client.cs#L211

If you have the mode as absolute configured, then that's all that's in play.

If you have sliding mode configured, then if you don't use the RT in the SlidingRefreshTokenLifetime then it's expired. If you use it within that window, then it slides. It's always capped by the upper AbsoluteRefreshTokenLifetime.

brockallen picture brockallen on 24 Jan 2019

Right. So I ended up using the following:

RefreshTokenUsage = TokenUsage.OneTimeOnly,
RefreshTokenExpiration = TokenExpiration.Sliding,
SlidingRefreshTokenLifetime = x.GetValue<int>("refreshTokenLifetime", 30) * 86400,
AbsoluteRefreshTokenLifetime = 0

My understanding is this should give me a refresh token that can be used for however many days I specify (default 30 days here), can only be used to renew once and is handed a new refresh token with the new access token, and can be refreshed indefinitely. This seems to be more stable now for a long living connection. Sound about right? If so go ahead and close.

i8beef picture i8beef on 24 Jan 2019
👍1

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 11 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

garymacpherson picture garymacpherson  路  3Comments
wangkanai picture wangkanai  路  3Comments
brockallen picture brockallen  路  3Comments
createroftheearth picture createroftheearth  路  3Comments
Aravind1729 picture Aravind1729  路  3Comments