asp.net web api - Absolute and idle session timeout owin WebAPI -


i creating webapi using oauth bearer authentication follow:

       var oauthserveroptions = new oauthauthorizationserveroptions         {             tokenendpointpath = new pathstring("/token"),             accesstokenexpiretimespan = timespan.fromminutes(100),             provider = new authorizationserverprovider(),             refreshtokenprovider = new refreshtokenprovider(),         }; 

the application generate tokens authenticated users, expire in 100 minutes. users must use refresh token continue access application. now, want change policy follow:

  • if user idle 100 minutes, user must login again (the application must return 401) - idle timeout
  • event if user not idle, user must login again after 8 hours - absolute timeout

i have searched several days, can't find suitable solution

is there solution or sample worked problem here? currently, removed refresh token ability, user must login again after 100 minutes.

thank much.

i don't see way have both timeouts @ same time in oauth 2.0.

regarding first timeout, idle timeout, can set refresh token timeout 100 minutes. access token timeout lesser , each time access token expires, both new access , refresh tokens. if user session idle more 100 minutes, when app try refresh token, oauth server realise refresh token has expired , not valid. user need enter credentials.

for second timeout, can set access token timeout 8 hours , don't implement refresh tokens.

take account token sent resource server, not same oauth server. resource server can check ticket token not expired, has no way control when token granted first time after user entered credentials.

if control both oauth , resource servers, workaround implementing 100 minutes timeout refresh token , including in ticket property time when user entered credentials. please see code below example:

public class authorizationserverprovider : oauthauthorizationserverprovider {     ...     public override async task grantresourceownercredentials(oauthgrantresourceownercredentialscontext context)     {         ...         var props = new authenticationproperties(new dictionary<string, string>         {             {                 "client_id", clientid             },             {                  "ownercredentialstimestamp", datetime.utcnow.tostring()             }         });          var ticket = new authenticationticket(identity, props);         context.validated(ticket);     }     ... } 

when resource server obtains ticket contained in token, can compare value in property current time. in case of difference bigger 8 hours can return 401 - unauthorized response, forcing client app ask access token:

public class accesstokenprovider : iauthenticationtokenprovider {     public async task receiveasync(authenticationtokenreceivecontext context)     {         context.deserializeticket(context.token);          if (context.ticket.properties.dictionary["ownercredentialstimestamp"] != null)         {             var ownercredentialstimestamp = convert.todatetime(context.ticket.properties.dictionary["ownercredentialstimestamp"]).touniversaltime();              if (/* difference bigger 8 hours */)             {                 context.response.statuscode = (int)httpstatuscode.unauthorized;             }         }     } } 

at point, client app try obtain new access token "refresh_token" request. oauth server has check again time of last entered credentials related current refresh token, there column in database table storing refresh tokens (if case).

you check in refreshtokenprovider.receiveasync() method:

public class refreshtokenprovider : iauthenticationtokenprovider {     ...     public async task receiveasync(authenticationtokenreceivecontext context)     {         ...         /* check received refresh token, including last time credentials entered user */         ...     }     ... } 

or in authorizationserverprovicer.grantrefreshtoken() method:

public class authorizationserverprovider : oauthauthorizationserverprovider {     ...     public override async task grantrefreshtoken(oauthgrantrefreshtokencontext context)     {         ...         /* check last time credentials entered user */         ...     }     ... } 

this particular solution has nothing oauth 2.0 protocol.

i hope helps you.


Comments

Popular posts from this blog

scala - 'wrong top statement declaration' when using slick in IntelliJ -

c# - DevExpress.Wpf.Grid.InfiniteGridSizeException was unhandled -

PySide and Qt Properties: Connecting signals from Python to QML -