Menu
I have an app using OpenIddict for token authorization (access and refresh tokens) and overall, it's working great. The problem is that my use case has multiple app types (web and mobile) using the same authorization server. I'd like to have different expiry times for the different types (probably using different token endpoints) but I can't figure out a way to override the values set with SetAccessTokenLifetime and SetRefreshTokenLifetime. Is there a way to do this?
The goal is to have a longer access token length for the web apps and have the user redirect to the login when they expire (reasonably long expiry, e.g. hours). On the mobile side I want to use the refresh token to keep the user logged in. Best practice seems to indicate that on mobile I should have a very short token expiry (e.g. minutes) with a long refresh token expiry.
Thanks, Jason
828
I'd like to have different expiry times for the different types (probably using different token endpoints) but I can't figure out a way to override the values set with SetAccessTokenLifetime and SetRefreshTokenLifetime. Is there a way to do this?
You can override the global token expiration values directly from your authorization endpoint action using the dedicated ClaimsPrincipal extensions:
principal.SetAccessTokenLifetime(TimeSpan.FromMinutes(30));
principal.SetAuthorizationCodeLifetime(TimeSpan.FromMinutes(1));
principal.SetIdentityTokenLifetime(TimeSpan.FromMinutes(30));
principal.SetRefreshTokenLifetime(TimeSpan.FromDays(2));
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
