IdentityServer4 refresh token never expires

0
votes

We are using IdentityServer4 and have an issue on using refresh token.

Here is my client configs: Grant Types: client_credentials hybrid

  • Access token lifetime:
    • 60
  • Identity token lifetime:
    • 900
  • Absolute refresh token lifetime:
    • 240
  • Sliding refresh token lifetime:
    • 60
  • Refresh token usage:
    • OneTimeOnly
  • Refresh token expiration:
    • Absolute

I am checking access token life time and when it is about to be expired I use refresh token to get new access token. After 240 second the access token life time does not extension and my client goes to Identity Server and it issues new set of tokens for my client.

I want my user enter username/password after expiration the refresh token buy Identity Server issue new tokens instead of asking credential.

Any Idea?

1
identityserver4refresh-token
If you are using the hybrid flow, then I assume you have an mvc client. This type of client uses cookies and doesn't need an access token. You could set SaveTokens to false, if it wasn't for the id_token that needs to be saved. The access token is only relevant for accessing an api, but I don't see you mention an api. Anyways, in case the client needs to reauthenticate, the user is redirected to the IdentityServer page where another cookie is present which should automatically refresh the session of the user. The same way a user can be automatically logged in to another client.Ruard van Elburg
The access token is used for an api. Since the api doesn't have a session, an expired token will never redirect a user to the IdentityServer login page. It will simply return Unauthorized, 403. Only the client can redirect the user to IdentityServer by invalidating the session. But when an access token is expired, the resfresh token prevents this from happening. In your case, the user remains logged in, also after the tokens are expired, but the api becomes inaccessable. Also check my answer hereRuard van Elburg
I have the same code as "stackoverflow.com/questions/54498454/…" Everything in terms of access token and refresh token works unless when refresh token became expired then my client reauthenticate by redirecting to identity server without asking user to enter credential. my question is why?Majid
@Majid because you're not forcing interacting authentication in the authorize endpoint call. See my answer regarding how to influence this behavior.mackie
It's like @mackie said earlier, there is no relation between token and session. So the client has to do something special to force the user to reauthenticate. The client can evaluate the token and detect that it is expired, and it can redirect the user to IdentityServer. But because of the session cookie (which enables SSO), the user is automatically authenticated again. So the client has to add parameters to prevent this behaviour. In other words, disable SSO in this case: prompt=loginRuard van Elburg

1 Answers

2
votes

If I'm understanding correctly you want to force the user to interactively authenticate from your client? If so the max_age=n or prompt=login authorize endpoint parameters can be used to trigger that flow and then you can validate the auth_time claim within your client to ensure it's recent enough.

Currently this is happening without prompting because the user still has a valid IDP session via the authentication cookie. I'd recommend using the above method over and above setting the IDP session to be aligned with your client application session lifetime.