1

We are using IdentityServer4 and have an issue on using refresh token.

Here is my client configs: Grant Types: client_credentials hybrid

  • Access token lifetime:
    • 60
  • Identity token lifetime:
    • 900
  • Absolute refresh token lifetime:
    • 240
  • Sliding refresh token lifetime:
    • 60
  • Refresh token usage:
    • OneTimeOnly
  • Refresh token expiration:
    • Absolute

I am checking access token life time and when it is about to be expired I use refresh token to get new access token. After 240 second the access token life time does not extension and my client goes to Identity Server and it issues new set of tokens for my client.

I want my user enter username/password after expiration the refresh token buy Identity Server issue new tokens instead of asking credential.

Any Idea?

Majid
  • 43
  • 10
  • If you are using the hybrid flow, then I assume you have an mvc client. This type of client uses cookies and doesn't need an access token. You could set SaveTokens to false, if it wasn't for the id_token that needs to be saved. The access token is only relevant for accessing an api, but I don't see you mention an api. Anyways, in case the client needs to reauthenticate, the user is redirected to the IdentityServer page where another cookie is present which should automatically refresh the session of the user. The same way a user can be automatically logged in to another client. –  Oct 28 '19 at 19:40
  • The access token is used for an api. Since the api doesn't have a session, an expired token will never redirect a user to the IdentityServer login page. It will simply return Unauthorized, 403. Only the client can redirect the user to IdentityServer by invalidating the session. But when an access token is expired, the resfresh token prevents this from happening. In your case, the user remains logged in, also after the tokens are expired, but the api becomes inaccessable. Also check my answer [here](https://stackoverflow.com/questions/54498454/#54507122) –  Oct 28 '19 at 19:46
  • I have the same code as "https://stackoverflow.com/questions/54498454/still-logged-in-mvc-site-but-cant-call-web-api#54507122" Everything in terms of access token and refresh token works unless when refresh token became expired then my client reauthenticate by redirecting to identity server without asking user to enter credential. my question is why? – Majid Oct 29 '19 at 14:11
  • @Majid because you're not forcing interacting authentication in the `authorize` endpoint call. See my answer regarding how to influence this behavior. – mackie Oct 29 '19 at 14:43
  • It's like @mackie said earlier, there is no relation between token and session. So the client has to do something special to force the user to reauthenticate. The client can evaluate the token and detect that it is expired, and it can redirect the user to IdentityServer. But because of the session cookie (which enables SSO), the user is automatically authenticated again. So the client has to add parameters to prevent this behaviour. In other words, disable SSO in this case: `prompt=login` –  Oct 29 '19 at 17:22
  • Thanks guys, adding prompt parameter when redirecting to idenityserver working and force user to enter credential. But how should I get expiration of cookies in RedirectToIdentityProvider event. I need to check if expire-at is greater than now() then add prompt=login. – Majid Oct 30 '19 at 14:12

1 Answers1

1

If I'm understanding correctly you want to force the user to interactively authenticate from your client? If so the max_age=n or prompt=login authorize endpoint parameters can be used to trigger that flow and then you can validate the auth_time claim within your client to ensure it's recent enough.

Currently this is happening without prompting because the user still has a valid IDP session via the authentication cookie. I'd recommend using the above method over and above setting the IDP session to be aligned with your client application session lifetime.

mackie
  • 4,996
  • 1
  • 17
  • 17
  • no I do not want that. I want user enters credential in Identity Server login page when refresh token is expired. This is a common scenario when using Identity Server. Long life refresh token and short life access token, update access token using refresh token until refresh token is expired and force user to enter credential again. – Majid Oct 28 '19 at 16:58
  • But it's the client that has to make that decision because the refresh token and IDP session have no relationship to each other. To achieve what you want you should detect that condition in your client and then use the above approach to force interactive authentication regardless of the current state of the user's IDP session. – mackie Oct 28 '19 at 17:24
  • Thanks, adding prompt parameter when redirecting to idenityserver working and force user to enter credential. – Majid Nov 06 '19 at 21:51