1

I have a question related to refresh tokens. I have configured my Angular Client in Identity Server as follows:

RefreshTokenUsage = TokenUsage.OneTimeOnly,
AccessTokenLifetime = 30,
AbsoluteRefreshTokenLifetime = 3600,
RefreshTokenExpiration = TokenExpiration.Sliding,
SlidingRefreshTokenLifetime = 60,

Also, my Angular client uses the 'silent renew' mechanism (using angular-auth-oidc-client).

If the Angular client is started, after 20 seconds the 'silent renew' kicks in and asks for a new access token, which makes sense because this is about 75% of the access token lifetime of 30 seconds). It gets a new access token and all keeps working.

At a given moment in time, I stop the silent renew. This means that it does not refresh the access token anymore, and indeed, after a while my calls to the web api fail because the access token expired.

Now, minutes later I restart 'silent renew'.

The strange thing is that it succeeds in getting a new access token, but it was my understanding that this should not work anymore because the refresh token should have expired after 60 seconds?

I probably misunderstand how this sliding refresh token mechanism works.. can someone explain why I can still request a new access token with a refresh token that has expired?

L-Four
  • 13,345
  • 9
  • 65
  • 109

1 Answers1

1

We have recently implemented silent renew using oidc library from angular SPA.

And my understanding is that the client side library silent renew mechanism does not use the refresh token strategy instead it calls Authorize request with prompt=none every time it asks for silent renew and gets a new id token and access token.

And also it uses OIDC session management using Iframe to keep track of the session expiry. You can see that cookie in the browser.

Janardhan Bikka
  • 92
  • 8
  • Thank you. Your response made me think of something. There is an option use_refresh_token: "boolean property set to false. Standard silent renew mode used per default. Refresh tokens can be activated." So maybe, if I set this to true, it will start using the refresh tokens? I will do a test to see if this makes a difference. – L-Four Dec 24 '19 at 09:27
  • I tried it, but it still does a renew if refresh token is expired: "If you set use_refresh_token to true, but there is no refresh_token the library automatically tries to do a silent renew and thus requires the iframe. If you have set log_console_debug_active to true, you'll see a console entry like this no refresh token found, using silent renew that states this." If I don't want that, I guess I should disable silent renew, probably? – L-Four Dec 24 '19 at 09:41
  • I think I'm going to handle this differently. I simply allow silent refresh as I did now, but build in a idle timeout mechanism that logs off the user in case he is not active for an amount of time. – L-Four Dec 24 '19 at 10:15