Menu
I have tried to set the AccessTokenLifetime propery for my Implicit Client to be 90seconds. The client is a javascript application.
However, the client is still able to access the api scope "api1" for around 5 minutes after the token should have expired.
This is the code for the client configuration in IdentityServer4:
// JavaScript Client
new Client
{
ClientId = "js",
ClientName = "JavaScript Client",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RedirectUris = { "http://localhost:5003/callback.html" },
PostLogoutRedirectUris = { "http://localhost:5003/index.html" },
AllowedCorsOrigins = { "http://localhost:5003" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"api1"
},
AccessTokenLifetime = 90
}
I'm using the Javascript quickstart solution from the IdentityServer github repo here https://github.com/IdentityServer/IdentityServer4.Samples/tree/release/Quickstarts/7_JavaScriptClient
241
Requesting a refresh token You can request a refresh token by adding a scope called offline_access to the scope parameter.
The access token is set with a reasonably lower expiration time of 30 mins. The refresh token is set with a very long expiration time of 200 days. If the traffic to this API is 10 requests/second, then it can generate as many as 864,000 tokens in a day.
Sliding: when refreshing the token, the lifetime of the refresh token will be renewed (by the amount specified in SlidingRefreshTokenLifetime). The lifetime will not exceed the absolute lifetime.
About IdentityServer4 IdentityServer is a free, open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core.
Each access token has its own expiry time, which can be set in the OAuthv2 policy . Refresh tokens are optionally issued along with access tokens with some of the grant types.
(Note that refresh tokens can’t be issued using the Implicit grant.) When the access token expires, the application can use the refresh token to obtain a new access token. It can do this behind the scenes, and without the user’s involvement, so that it’s a seamless process to the user.
The following example OAuthV2 policy shows a long expiration time of 200 days for refresh tokens: In the above example: The access token is set with a reasonably lower expiration time of 30 mins. The refresh token is set with a very long expiration time of 200 days.
The response with an access token should contain the following properties: access_token (required) The access token string as issued by the authorization server. token_type (required) The type of token this is, typically just the string “bearer”.
There is a clock skew in the Microsoft JWT validation middleware. It is set by default to 5 mins and cannot be less. Otherwise - the suggested lifetime of an access token is as short as possible. Especially in the client side clients, where you are exposing it to the browser. So your best solution - leave it as default (300 seconds/5 minutes).
Check this topic - there is a good discussion around this.
64
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
