asp.net web api - Absolute and idle session timeout owin WebAPI -


i creating webapi using oauth bearer authentication follow:

       var oauthserveroptions = new oauthauthorizationserveroptions         {             tokenendpointpath = new pathstring("/token"),             accesstokenexpiretimespan = timespan.fromminutes(100),             provider = new authorizationserverprovider(),             refreshtokenprovider = new refreshtokenprovider(),         };

the application generate tokens authenticated users, expire in 100 minutes. users must use refresh token continue access application. now, want change policy follow:

  • if user idle 100 minutes, user must login again (the application must return 401) - idle timeout
  • event if user not idle, user must login again after 8 hours - absolute timeout

i have searched several days, can't find suitable solution

is there solution or sample worked problem here? currently, removed refresh token ability, user must login again after 100 minutes.

thank much.

i don't see way have both timeouts @ same time in oauth 2.0.

regarding first timeout, idle timeout, can set refresh token timeout 100 minutes. access token timeout lesser , each time access token expires, both new access , refresh tokens. if user session idle more 100 minutes, when app try refresh token, oauth server realise refresh token has expired , not valid. user need enter credentials.

for second timeout, can set access token timeout 8 hours , don't implement refresh tokens.

take account token sent resource server, not same oauth server. resource server can check ticket token not expired, has no way control when token granted first time after user entered credentials.

if control both oauth , resource servers, workaround implementing 100 minutes timeout refresh token , including in ticket property time when user entered credentials. please see code below example:

public class authorizationserverprovider : oauthauthorizationserverprovider {     ...     public override async task grantresourceownercredentials(oauthgrantresourceownercredentialscontext context)     {         ...         var props = new authenticationproperties(new dictionary<string, string>         {             {                 "client_id", clientid             },             {                  "ownercredentialstimestamp", datetime.utcnow.tostring()             }         });          var ticket = new authenticationticket(identity, props);         context.validated(ticket);     }     ... }

when resource server obtains ticket contained in token, can compare value in property current time. in case of difference bigger 8 hours can return 401 - unauthorized response, forcing client app ask access token:

public class accesstokenprovider : iauthenticationtokenprovider {     public async task receiveasync(authenticationtokenreceivecontext context)     {         context.deserializeticket(context.token);          if (context.ticket.properties.dictionary["ownercredentialstimestamp"] != null)         {             var ownercredentialstimestamp = convert.todatetime(context.ticket.properties.dictionary["ownercredentialstimestamp"]).touniversaltime();              if (/* difference bigger 8 hours */)             {                 context.response.statuscode = (int)httpstatuscode.unauthorized;             }         }     } }

at point, client app try obtain new access token "refresh_token" request. oauth server has check again time of last entered credentials related current refresh token, there column in database table storing refresh tokens (if case).

you check in refreshtokenprovider.receiveasync() method: 

public class refreshtokenprovider : iauthenticationtokenprovider {     ...     public async task receiveasync(authenticationtokenreceivecontext context)     {         ...         /* check received refresh token, including last time credentials entered user */         ...     }     ... }

or in authorizationserverprovicer.grantrefreshtoken() method:

public class authorizationserverprovider : oauthauthorizationserverprovider {     ...     public override async task grantrefreshtoken(oauthgrantrefreshtokencontext context)     {         ...         /* check last time credentials entered user */         ...     }     ... }

this particular solution has nothing oauth 2.0 protocol.

i hope helps you.


-

Comments

Post a Comment

Popular posts from this blog

PySide and Qt Properties: Connecting signals from Python to QML -

i trying run simple pyside appliccation design made in qml. call function in qml python in separated thread. i have following qml view: import qt 4.7 rectangle { visible: true width: 100; height: 100 color: "lightgrey" text { id: datestr objectname: "datestr" x: 10 y: 10 text: "init text" font.pixelsize: 12 function updatedata(text) { datestr.text = qstr(text) console.log("you said: " + text) } } } here application: some imports.... #!/usr/bin/python import sys import time pyside import qtdeclarative, qtcore pyside.qtgui import qapplication pyside.qtdeclarative import qdeclarativeview the qthread worker.... #worker thread class worker(qtcore.qthread): updateprogress = qtcore.signal(int) def __init__(self, child): qtcore.qthread.__init__(self) self.child = child def run(self):
Read more

c# - DevExpress.Wpf.Grid.InfiniteGridSizeException was unhandled -

Image
when using devexpress, see error: devexpress.wpf.grid.infinitegridsizeexception unhandled message="by default, infinite grid height not allowed since grid rows rendered , hence grid work slowly. fix issue, should place grid container give finite height grid, or should manually specify grid's height or maxheight. note can avoid exception setting gridcontrol.allowinfinitegridsize static property true, in case grid run slowly." the problem dxgrid has infinite height. to fix, set height non-infinite. snoop absolutely invaluable this: if "height" xaml element infinite (i.e. 0 or nan ), can set using one of following: option 1: height="{binding path=actualheight, relativesource={relativesource mode=findancestor, ancestortype=uielement}}" option 2: verticalalignment="stretch" option 3: height="auto" hint: use verticalalignment="stretch" if child of grid <rowdefinition height=
Read more

scala - 'wrong top statement declaration' when using slick in IntelliJ -

Image
i'm porting project scala 2.9 2.10, therefore have use slick instead of scalaquery. i'm using slick 2.1.0 since supports ms access. according this tutorial , upgrade guide changed robs object class , added val robs : why error message wrong top statement declaration , how rid of it? edit: i'm new scala... according this question seems can't put val outside of methods or classes, right? code above directly in packge. right approach slick then? should move code in class or trait? according this changed val robs = tablequery[robs] to object robs extends tablequery(new robs(_)) {} . no warnings or errors anymore. :)
Read more