I’m having trouble handling expired access token in my app, using openIdConnect and cookie authentication.
much like en this question: AddOpenIdConnect and Refresh Tokens in ASP.NET Core
The answer is to listen in on the cookievalidation event, and validate the accesstoken.
This leaves me with a new question, what is the point of using the cookie authentication scheme, if it cannot enfore accesstoken expiration ?
As i see it, unless you inject custom code for this, the authentication scheme will always fail, as the cookie expiration is renewed in the browser per request, and the authentication scheme doesn’t enforce the lifetime of the accesstoken, even when UseTokenLifetime=true.
which makes the UseTokenLifetime option completely useless.
What am i missing here, is there a use case where this authentication scheme makes sense, without custom handling of the token within the cookie ?
in case it’s relevant,here’s how i configure it in my app:
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
options.LoginPath = "/Account/Login";
options.ExpireTimeSpan = TimeSpan.FromSeconds(10);
})
.AddOpenIdConnect(options =>
{
options.Authority = "myauthserver";
options.ClientId = "myclient";
options.ClientSecret = "clientsecret";
options.ResponseType = OpenIdConnectResponseType.Code;
options.SaveTokens = true;
options.UseTokenLifetime = true;
options.SignedOutCallbackPath = "/Home/Signout";
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.Scope.Add("openid");
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "preferred_username",
RoleClaimType = "roles"
};
});
The tech stack can be used in two ways.
WEBSITE SECURITY
You use OIDC to manage authentication at an identity system. The website validates the ID token, saves its claims to the cookie and discards other tokens. The cookie is used as a data credential with an ExpireTimeSpan that you set. When the website receives a cookie it directly interacts with a database.
API SECURITY
If you instead use API security then the browser has a session with its APIs, represented by the access and refresh tokens. You use cookies to transport tokens to the .NET backend, which then forwards access tokens to APIs.
All expiry is based on that of the access and refresh tokens. When access tokens expire, APIs return a 401 status. You can handle token refresh in either the .NET backend or a JavaScript frontend.
When you use tokens to call APIs, you should configure cookies to be session cookies that do not have an expiry, so you do not set the ExpireTimeSpan property. The cookies are removed upon logout or if the user closes the browser.