I have an application (ASP.Net Core 2.2, IdentityServer4) which is working fine. Now I need to authenticate some devices or applications in my application to let them call my APIs.
I've read these links:
IdentityServer4 Access Token Lifetime
Bearer token that never expires
but these are not something that I need.
I need to make some kind of authentication that never expires and I just expire that manually. What is the correct solution? Any Ideas would be appreciated.
Perhaps you can use Reference Tokens, not to be mistaken by Refresh Tokens.
From the documentation:
When using reference tokens - IdentityServer will store the contents of the token in a data store and will only issue a unique identifier for this token back to the client. The API receiving this reference must then open a back-channel communication to IdentityServer to validate the token.
So the reference is only a reference. It contains no information about security or expiration. The referenced information is stored in the data store and is only accessable by the resource that receives the reference token, using back-channel communication. The reference remains valid until it is removed from the data store (token is revoked).
In order to make this work you should use AddIdentityServerAuthentication in the client and api for handling and validating reference tokens. You can configure the client to use reference tokens as follows (as documented):
client.AccessTokenType = AccessTokenType.Reference;
The documentation also mentions a secret for the api.