4

Can somebody explain how to implement sliding expiration using the new Owin WS-Federation plugin?

On the client side, at WS-Fedeartion configuration I see that there are some events like :

  Notifications = new WsFederationAuthenticationNotifications
            {
                SecurityTokenReceived = ...,
                AuthenticationFailed = ...,
                RedirectToIdentityProvider = ...,
                MessageReceived = ...,
                SecurityTokenValidated = ....
            },

But because the lack of documentation I can't really figure it out where an how?

At the moment my STS is issuing tokens with absolute expiration:

 protected override Lifetime GetTokenLifetime(Lifetime requestLifetime)
 {
        // 5 Minutes for token lifetime
        var lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(5));
        return lifetime;
 }

Any help is higly appreciated.

Cristian E.
  • 3,116
  • 7
  • 31
  • 61

1 Answers1

16

TL;DR: set WsFederationAuthenticationOptions.UseTokenLifetime to false, to re-enable sliding expiration.

In OWIN/Katana, the sliding expiration concept is limited to the cookies middleware and is enabled by default (you can turn it off by setting CookieAuthenticationOptions.SlidingExpiration to false: https://katanaproject.codeplex.com/SourceControl/latest#src/Microsoft.Owin.Security.Cookies/CookieAuthenticationOptions.cs).

When you use app.UseWsFederationAuthentication (or app.UseOpenIdConnectAuthentication), it actually relies on another middleware to persist the ClaimsIdentity when you complete the authentication flow. This "persistence delegation" can be configured through the SignInAsAuthenticationType or via app.SetDefaultSignInAsAuthenticationType.

Typically, this SignInAsAuthenticationType property corresponds to a cookie middleware: this way, sliding expiration is not managed at the WS-Federation middleware level, but by the cookies middleware, that will automatically renew the authentication cookie when sliding expiration conditions are met. In this scenario, the authentication token issued by your identity provider won't be renewed. For this to work, you need to set WsFederationAuthenticationOptions.UseTokenLifetime to false, because when you use the default value, sliding expiration is disabled and the cookie lifetime matches the token lifetime.

If you use WS-Fed for authentication purposes (i.e you just want to know who your users are), using sliding expiration is probably a good idea. But if you need to make some API calls on a remote server, your users may end up being authenticated for a long time, far after the expiration of their security token.

Kévin Chalet
  • 39,509
  • 7
  • 121
  • 131
  • Excellent answer it worked! Thank you so much! I use WS-Fed for authentication purposes, and the clients are MVC apps, there's no API calls. Still you mentioned an interesting user case when the cookie lives longer than the security token. What are the issues on this scenario? How can we mitigate this situation? – Cristian E. Feb 20 '15 at 15:19
  • 2
    If you're not doing any API calls, having a cookie that lives longer than the security token is not fundamentally wrong. Of course, given that tons of things could happen after a token has been issued (authorization removed, profile deleted, etc.), your client application may not have a clear idea of the current status of the user, but that's not always an issue. On the opposite, if you use the security token to make API calls, the calls will fail if the token expired before the cookie itself expired. To mitigate that, you could catch 401 responses and restart an authentication flow. – Kévin Chalet Feb 20 '15 at 15:30
  • Hi everyone, i'm interested in this topic. Has anyone found a good way to renew the claims of the user after it's been authenticated?? I'm having this problem and i don't know which way to go. I want, for example, that my user's token lives for 3 hours but the claims (from a DB) get renewed every hour. Is this possible? Thanks! – snekkke Mar 25 '15 at 19:25
  • @KévinChalet, for me turning "UseTokenLifetime" to false was key. This is issue was really hard to figure out. – amassani Jun 23 '20 at 22:04