Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the correct method of setting the expiry of an access token in the Implicit Flow in IdentityServer4?

I have tried to set the AccessTokenLifetime propery for my Implicit Client to be 90seconds. The client is a javascript application.

However, the client is still able to access the api scope "api1" for around 5 minutes after the token should have expired.

This is the code for the client configuration in IdentityServer4:

// JavaScript Client
            new Client
            {
                ClientId = "js",
                ClientName = "JavaScript Client",
                AllowedGrantTypes = GrantTypes.Implicit,
                AllowAccessTokensViaBrowser = true,

                RedirectUris = { "http://localhost:5003/callback.html" },
                PostLogoutRedirectUris = { "http://localhost:5003/index.html" },
                AllowedCorsOrigins = { "http://localhost:5003" },

                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "api1"
                },
                AccessTokenLifetime = 90
            }

I'm using the Javascript quickstart solution from the IdentityServer github repo here https://github.com/IdentityServer/IdentityServer4.Samples/tree/release/Quickstarts/7_JavaScriptClient

like image 241
user1651370 Avatar asked Mar 07 '18 16:03

user1651370


People also ask

How do you refresh token in IdentityServer4?

Requesting a refresh token You can request a refresh token by adding a scope called offline_access to the scope parameter.

How long should an access token last?

The access token is set with a reasonably lower expiration time of 30 mins. The refresh token is set with a very long expiration time of 200 days. If the traffic to this API is 10 requests/second, then it can generate as many as 864,000 tokens in a day.

What is sliding refresh token lifetime?

Sliding: when refreshing the token, the lifetime of the refresh token will be renewed (by the amount specified in SlidingRefreshTokenLifetime). The lifetime will not exceed the absolute lifetime.

Is Identity Server 4 free?

About IdentityServer4 IdentityServer is a free, open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core.

How do I set the expiry time of an access token?

Each access token has its own expiry time, which can be set in the OAuthv2 policy . Refresh tokens are optionally issued along with access tokens with some of the grant types.

Can a refresh token be issued using an implicit grant?

(Note that refresh tokens can’t be issued using the Implicit grant.) When the access token expires, the application can use the refresh token to obtain a new access token. It can do this behind the scenes, and without the user’s involvement, so that it’s a seamless process to the user.

What is the expiration time for refresh tokens in oauthv2?

The following example OAuthV2 policy shows a long expiration time of 200 days for refresh tokens: In the above example: The access token is set with a reasonably lower expiration time of 30 mins. The refresh token is set with a very long expiration time of 200 days.

What should be included in a response with an access token?

The response with an access token should contain the following properties: access_token (required) The access token string as issued by the authorization server. token_type (required) The type of token this is, typically just the string “bearer”.


1 Answers

There is a clock skew in the Microsoft JWT validation middleware. It is set by default to 5 mins and cannot be less. Otherwise - the suggested lifetime of an access token is as short as possible. Especially in the client side clients, where you are exposing it to the browser. So your best solution - leave it as default (300 seconds/5 minutes).

Check this topic - there is a good discussion around this.

like image 64
m3n7alsnak3 Avatar answered Dec 27 '22 05:12

m3n7alsnak3