We are using IdentityServer4 and the oidc-client-js library for angular. We noticed that the token is renewed automatically which is fine. But we want the user to be signed out, after the SlidingRefreshTokenLifetime is expired. We have set the AccessTokenLifetime to 900 (15 minutes) and the SlidingRefreshTokenLifetime to 7200 (2 hours). The user should log out after 2 hours when he is idle. This worked fine without the oidc-client-js, when we made requests to IdentityServer ourselfs using the connect/token with the refresh token.
We are using automaticSilentRenew: true for the UserManagerSettings with the oidc-client-js library. This should be done only as long as the SlidingRefreshTokenLifetime didn't expire.
How can we accomplish this behaviour?
Edit: Also if we set automaticSilentRenew to false in oidc-client-js it still refreshes the token automatically.
We were able to accomplish our desired behaviour. We had to set SlidingRefreshTokenLifetime to false BUT also remove the following events even if their callbacks were empty:
addAccessTokenExpiring addAccessTokenExpired
They were triggering an automatic token refresh as well.
Then we use our server response on every request to get a new token. We will get a 401 which we can handle with the following approach: Angular 4 Interceptor retry requests after token refresh
If the refresh token expired, now signinSilent will throw an invalid_grant exception which we can use to log out the user.