Hi,
Quick question - I'm wondering what you recommended SlidingExpiration setting would/should be in relation to token lifetimes when using the distributed cache.
Thanks, Donal
@dmcweeney : this is an interesting question, but we'd want to understand your scenario a bit more:
Hi @jmprieur,
No concerns from a security perspective.
Thinking in terms of ensuring that the tokens are auto-purged/expired in a timely manner.
For example,
So it is really trying to balance the user accessing the app versus token purge (which would require the user to sign back into the app again) versus redis cache memory usage?
Any thoughts greatly appreciated.
Thanks, Donal
Hi,
I had the same question in the linked issue. It's not like any problem or bug, just a design decision.
Now that I think of it, maybe we could set the tokens to never expire. Over time, they will get invalid and MSAL figures it out and forces re-auth anyway, correct?
@Mek7 correct its a design decision related to picking a good number...
Over time, they will get invalid and MSAL figures it out and forces re-auth anyway, correct
Correct however if the user does not come back to login, the entry stays in the redis cache and it will never get expired, eventually using all the allocated cache storage.
Thanks @Mek7 @dmcweeney for this discussion
I've added a few sentences to the wiki: https://github.com/AzureAD/microsoft-identity-web/wiki/Token-cache-serialization#recommended-expiration-setting
Closing this issue for now.
Feel free to reopen if you disagree
Thanks @Mek7 @dmcweeney for this discussion
I've added a few sentences to the wiki: https://github.com/AzureAD/microsoft-identity-web/wiki/Token-cache-serialization#recommended-expiration-settingClosing this issue for now.
Feel free to reopen if you disagree
Hi @jmprieur, so if we have access token life time of 1 hour, we should set the cache expiration to, say 90 minutes to balance the cache storage and re-authentication traffic(give the refresh token a chance to work?).
When using the default expiration of 20 minutes, the refresh token is never used because the ConfidentialClientApplication.GetAccountAsync(Id) will get nothing from cache due to the triggered cache purge on read, which leads to AcquireTokenSilent call fail and trigger re-authentication.
So why do we end up with 20 minutes as the default, is it mainly the concern of the large system with huge cache entries?
Of course the purge interval plays a role too, and the default is 30 minutes though. Is the 20 min + 30 min < 60 min (default access token life time) plays a role here?
Thanks for the update, @creativebrother
The default should not be 20 mins. I've updated the wiki
I've also updated the samples:
@creativebrother we've updated the documentation around cache eviction. thanks.