stackoom
  简体   繁体   中英

When session should expire in Identity Server 4 with MVC client?

 原文  2018-11-19 21:34:18       c#/ asp.net-mvc/ .net-core/ identityserver4/ session-management

Question

I am using MVC client with IdentityServer3.AccessTokenValidation and Identity Server 4 as my IDP app.

I have added cookie timeout at below places, however seems like session never expires and doesn't automatically logout the user -

In MVC client - 

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = "Cookies",
    ExpireTimeSpan = new TimeSpan(0, 20, 0, 0)
});

If I set time less than 20 hours, authorization request runs for infinite loop

In IDP app, 

services.AddIdentityServer(
    opt => new IdentityServer4.Configuration.IdentityServerOptions
    {
        Authentication = new IdentityServer4.Configuration.AuthenticationOptions()
        {
            CookieLifetime = TimeSpan.FromSeconds(60)
        }
    }

In IDP app, 

.AddCookie("Cookies", opt => {
    opt.ExpireTimeSpan = TimeSpan.FromSeconds(60);
    opt.Cookie = new CookieBuilder() { Expiration = new TimeSpan(0,0,0,60) };
    opt.Events.OnSigningIn = (context) =>
    {
        context.CookieOptions.Expires = DateTimeOffset.UtcNow.AddSeconds(60);
        return Task.CompletedTask;
    };
})

1 answers

solution1
 0  2018-11-20 08:31:09

This is my interpretation of the general approach to this:

The intent of OIDC (via the session management spec) is that the IDP session becomes the "master" and thus when you sign out of it all your client app sessions should also end (via front or back channel logout and the client side session monitoring mechanism).

This does not preclude the client apps from having their own rules around how often a user must interactively authenticate or what method(s) must be used. To control this from the client you can use the prompt and max_age authorize endpoint parameters and subsequent checking of the auth_time claim in the id_token that is returned.

In this setup it makes sense in my opinion to have a persistent cookie for the IDP that's fairly long lived (and renewed whenever the user authenticates interactively) and a session (ie removed when browser is closed) cookie in the client app.

For all this to work you must use a recognised grant type - typically hybrid for a serverside application - as only then do you have access to the data and features that enable this stuff.

Check out these specs:

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Session Expire in MVC Identity Server 4 : Proper logout from MVC Client Session Expire issue in MVC application mvc session expire attribute not triggering Asp.net Identity Expire Session Cookie When using a HTTP-only session cookie, how does the client know when its session is going to expire? Session should not expire if user chooses the option Integrating Identity Server; Docker and MVC Core (Web Client) Identity Server with MVC Client running behind an AWS Load Balancer Identity Server 4 - Role claims missing in OpenIdConnect handler in MVC client
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM