Search code examples
identityserver4

How to set cookie expiration times for identity server, web api and client app?

I am new to identity server and know very little about cookie management. I have configured a web api and a client app with IDS4. below is my startup.cs in identity server.

 public void ConfigureServices(IServiceCollection services)
        {
            //...

            var builder = services.AddIdentityServer(options =>
            {
                options.EmitStaticAudienceClaim = true;
                options.IssuerUri = "https://localhost:5001";
            })
            //...
        }

and here is my extension method to add authentication in web api

public static void AddCustomAuthentication(this IServiceCollection services, IConfiguration Configuration)
        {
            services.AddAuthentication("Bearer")
            .AddJwtBearer("Bearer", options =>
            {
                // tell the system base address of identity server
                options.Authority = Configuration["IdentityServerUri"];

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateAudience = false
                };
            });
        }

and here is my extension method to add authentication in client app

public static void AddCustomAuthentication(this IServiceCollection services, IConfiguration Configuration)
        {
            services.AddAuthentication(options =>
            {
                options.DefaultScheme = "Cookies";
                options.DefaultChallengeScheme = "oidc";
            })
            .AddCookie(options =>
            {
                options.Cookie.Name = "CorpLense.HR.WebClient";
            })
            .AddOpenIdConnect("oidc", options => 
            {
                options.Authority = Configuration["IdentityServerUri"];
                options.SignInScheme = "Cookies";

                options.ClientId = "CorpLense.HR.WebClient"; 
                options.ClientSecret = "***"; 
                options.ResponseType = "code";

                options.SaveTokens = true;
                
                // get claims
                
                // request access to scopes
                

            });

            var policy = new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser()
            .Build();
        }

and below is a screenshot of the cookies

enter image description here

OBSERVATIONS

I have noticed that my client app stays logged-in all the time. it does not ask me to login even the next day. however, after a every few hours my web API throws UNAUTHORIZED response codes. And when I logout and login again from my client app, the api starts working fine again. some thing tells me that perhaps the bearer token gets expired.

OBJECTIVE

I just want to know how to have total control on cookies. I want the client app to automatically logout when the cookie on the server side has expired, or the cookie on web api side has expired, or the cookie on the client app has expired. I also want to know how to control cookie expirations times. and how to refresh bearer tokens if they expire.

Solution

  • If I am not wrong, the default lifetime for the access token is 1 hour and you need to implement support for refresh token to renew the token when the access token is about to expire.

    You can also configure the client cookie lifetime in AddCookie(...).

    Does this help you?

    see https://docs.duendesoftware.com/identityserver/v5/bff/extensibility/tokens/