I'd like the site to "remember" them. I found
"OpenIdConnectOptions.MaxAge" and that might work, but the maximum it
can be set to is one day. Is that the only option?
Of course the alternative available. In fact, another most popular way is to Use cookie which would help you holding user information. You can create user claims and then keep it in Cookie AuthenticationProperties based on your properties value next time user credential would be read from cookie configuration.
Note: You can check here how it works in practice.
I'd like to be able to set it to at least a week or more, and even
then I'd want it to be a sliding window so that if a user logged in
every week he/she would, theoretically, never need to re-authenticate
(or maybe once a year or something). Is there a way to do that?
Based on your description and requirment asp.net core exactly has the option to manage those functionality which called Persistent cookies what it does is to enabled with explicit user consent with a "Remember Me" checkbox on sign in. Thus, when the user return back no longer redundant login process required.
In AuthenticationProperties you would seen two properties ExpiresUtc and IsPersistent which set persistent cookies feature in login process.
You could implement as following:
await HttpContext.SignInAsync(
CookieAuthenticationDefaults.AuthenticationScheme,
new ClaimsPrincipal(claimsIdentity),
new AuthenticationProperties
{
IsPersistent = true,
ExpiresUtc = DateTime.UtcNow.AddDays(7)
});
Note: Above code snippet just to illustrate you how to set that. You can check some implementation details here. In addition, this might be helpful as well. Furthermore, as you are trying to know at this moment theoritically, so I am just trying to get you in . However, if you encounter any issue while implementing this feature, please share that particular problem in a new qustion along with your reproducible code snippet. Your issue would be investigated accordingly.
