Search code examples
c#angularasp.net-coreidentityserver4

Can I request IdentityServer4 tokens from client if server was rebooted?

Its very difficult to ask questions on ID4. Also all relevant discussions I could google point to non-existing links for code samples.

What I have: an angular client uses ID4 auth made up of MVC pages provided by Microsoft, hosted in ASP.NET Core.

Startup.cs

services.AddDefaultIdentity<ApplicationUser>(options => options.SignIn.RequireConfirmedAccount = true)
    .AddEntityFrameworkStores<AppDbContext>();

services.AddIdentityServer()
    .AddApiAuthorization<ApplicationUser, AppDbContext>();

services.AddAuthentication()
    .AddIdentityServerJwt();

. . .

app.UseAuthentication();
app.UseIdentityServer();
app.UseAuthorization();

authorize.service.ts

const settings: any = await response.json();
settings.automaticSilentRenew = true;
settings.includeIdTokenInSilentRenew = true;
this.userManager = new UserManager(settings);

Use case: a user logs in on the webpage, ticks Remeber Me checkbox and uses the auth'ed website parts. If the server restarts - the tokens lost and user interaction with the website becomes broken - e.g. there are no errors in the webbrowser console and nothing happens if user tries to access any server-side data. It looks like nothing is there. Not as if there is issue with the auth.

It can only be fixed by manually logout/login. Or by opening new tab and going to the app again.

Is there simple explanation on to how can I a) detect that client token is broken and b) request new token?

EDIT if a user continues to use website next working day or opens new browser tab (without server restart) the ID4 works as expected - no login required.

The fiddler:

enter image description here

Solution

  • The short answer is: nothing should break if the server process (either application backend or identityserver4-based IDP) restarts so chances are you're missing some persistence (for persisted grants) and/or shared config (e.g. token signing keys and ASP.Net data protection keys) and things are being regenerated on startup and in-memory data is being lost.

    This article covers the things you need to consider to deploy a viable production service: https://docs.identityserver.io/en/latest/topics/deployment.html

    With that all in place though tokens will still expire and there are a couple of ways to refresh them depending on the context and grant type in use.

    To detect if a token is not valid anymore:

    1. Use it and detect if you get a 401 response from the endpoint you're calling
    2. Check the exp claim inside the token yourself
    3. Use the expires_in value returned with the token and calculate the expiry time based on that

    To renew it (and some libs will automate this):

    1. Use the iframe-based silent renewal mechanism (authorize endpoint with prompt=none) - note that third part cookie restrictions come into play for this
    2. Use a refresh token via the token endpoint (not recommended for client side apps due to the need to persist a refresh token in the client side)