Session Timeout when using IdentityServer4 and Oidc client causing Silent Renew to stop working

时间:2017-08-30 21:01:59

标签: asp.net-mvc asp.net-core asp.net-identity identityserver4 oidc

I am currently involved in development of an Angular4 SPA application connected to a .NET CORE 1.1 WebApi using IdentityServer4 as it's authentication service.

On the Angular side we are using the Oidc client from Damien Bod 1.2.1 - https://github.com/damienbod/angular-auth-oidc-client.

We have managed to successfully setup and login via IdentityServer. The problem arises that are exactly 30min we are getting a SessionTimeout on the IdentityServer and from there the Oidc client obtains a 401 and so is now not authorized.

The Oidc client is configured to use Silent Renew so is supposed to keep the session open. However this does not appear to be the case. Comments from the Oidc author Damien Bod seem to indicate that the IdentityServer4 session has timedout.

Question: How can we ensure the IdentityServer4 session does not time out when using the Silent Renew of the Oidc package.

Setup on our IdentityServer4 side:

</body>

Setup on our client side:

<!-- load all css first -->
<link href="https://maxcdn.bootstrapcdn.com/twitter-bootstrap/2.3.2/css/bootstrap-combined.min.css" rel="stylesheet" />



<li class="dropdown">
  <a href="#" class="dropdown-toggle" data-toggle="dropdown">Art</a>
  <ul class="dropdown-menu" role="menu">
    <li><a href="UploadArt.aspx">Upload Art</a></li>
    <li><a href="SearchForArt.aspx">Search For Art</a></li>
  </ul>
</li>


<!-- put all js before </body> tag -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/twitter-bootstrap/2.3.2/js/bootstrap.min.js"></script>

Log files from IdentityServer which shows the timeout:

template<typename T, T N>
constexpr auto make_constexpr_array(std::integral_constant<T, N>)
{
    std::array<int,N> result = {};
    for (int i = 0; i < N; ++i)
        result[i] = (3*i - 1)/2;
    return result;
}

int main()
{
    constexpr auto arr = make_constexpr_array(std::integral_constant<int, 6>{});
    static_assert(arr[0] == 0);
    static_assert(arr[1] == 1);
    static_assert(arr[2] == 2);
    static_assert(arr[3] == 4);
    static_assert(arr[4] == 5);
    static_assert(arr[5] == 7);
}

2 个答案:

答案 0 :(得分:0)

这可能根本不是UI客户端的问题,而是在IdentityServer端使cookie无效,从而有效地将用户签名。

似乎扩展这个的设置是SecurityStampValidationInterval,例如(到1小时):

 services.AddIdentity<IdentityUser, IdentityRole>(
                        options =>
                        {
                            options.Cookies.ApplicationCookie.AuthenticationScheme = cookieAuth.AuthenticationScheme;

                            options.SecurityStampValidationInterval = TimeSpan.FromHours(1);

                            options.Password.RequiredLength = 8;
                            options.Password.RequireUppercase = true;
                            options.Password.RequireLowercase = true;
                            options.Password.RequireNonAlphanumeric = true; 
                            options.Password.RequireDigit = true;
                        })

然而,这并不理想,因为即使没有任何改变,用户仍然会在1小时后退出。为什么会出现这种情况还有待确定。

答案 1 :(得分:0)

问题可能出在您登录用户时使用的方法。

如果您使用HttpContext.SignInAsync(...),则应将SecurityStamp声明明确传递给它:

var secStampClaim = new Claim(
    _userManager.Options.ClaimsIdentity.SecurityStampClaimType,
    user.SecurityStamp);
await HttpContext.SignInAsync(user.Id.ToString(), secStampClaim);

但是我认为最好使用SignInManager,它将构建声明主体并将SecurityStamp声明添加到cookie:

await _signInManager.SignInAsync(user, false);
相关问题
最新问题