- ABP Framework version: v3.3.2
- UI type: Angular
- DB provider: EF Core
- Tiered (MVC) or Identity Server Separated (Angular): yes
- Exception message and stack trace:
- Steps to reproduce the issue:
Hi, I want to force the users to re-login if they are inactive in 30 minutes, I have tried to set the expiry time for Cookies as below but it does not work:
context.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = configuration["AuthServer:Authority"];
options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);
options.Audience = "TestingApplication";
})
.AddCookie("Cookies", options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(30);
options.SlidingExpiration = true;
});
Anyone know how to achieve it? any help would be much appreciated.
11 Answer(s)
-
0
hi
Change
Cookiesoptions only affect to the Identity server website.The angular client use JWT to authentication. @Mehmet Do you have any advice?
-
1
Hi @nhontran
You can handle many cases (listening some JavaScript events, sharing user activity data with opened tabs, etc.) to achive this. What I suggest is that use a third-party library like this: https://github.com/rednez/angular-user-idle
But I did not go into detail with the package. You can examine the package and use it if you wish.
If you want to handle some cases in your app, you can do this in a service.
You can use the
AuthServicewhich is exported from@abp/ng.corepackage for logging out. See an example:import { AuthService } from '@abp/ng.core'; @Injectable() export class MyService { constructor(private authService: AuthService){} logout() { this.authService.logout().subscribe(); } } -
0
Hi @Mehmet, Thanks for your response. This is exactly what I have done at the frontend side, I just want to implement it at the backend now.
-
0
This is exactly what I have done at the frontend side, I just want to implement it at the backend now.
Backend you mean API? You are using Angular application calling an API which is stateless. Whenever token is expired or invalidated, you will be redirected back to login. Nothing to implement in backend.
Closing the issue. Feel free to re-open or create a new one if your problem persists.
-
0
Hi @gterdem, sorry for taking too long to reply.
We already implemented the front-end to trigger logout if user is inactive for 30 mins and set the access token life time = 30 mins as well but it does not work for sometimes, we checked the logs and found that client side managed to call refresh token successfully.
As per Identity Server documentation, the default refresh token lifetime is 30 days: AbsoluteRefreshTokenLifetime Maximum lifetime of a refresh token in seconds. Defaults to 2592000 seconds / 30 days.
https://identityserver4.readthedocs.io/en/latest/topics/refresh_tokens.html
This client setting is not available in UI (Administration -> Identity Server -> Clients)
Is there any other way to configure it?
-
0
hi nhontran
It looks like you don't plan to continue using this refresh token feature?
-
0
Hi @maliming, if user is active in the site, we still need to refresh the token before expiration.
We just dont want to refresh token if user is inactive for a period of time (30 mins).
-
0
sorry I couldn't read the history but how about writing a
setIntervalmethod for 30 mins on the client which makes a request to refresh the token at 29:50:00. if the user has closed the browser than it'll not work and the token will expire in the specified time. -
0
Hi @alper, I think the issue can be resolved by set the AbsoluteRefreshTokenLifetime to 30 mins instead of default 30 days, is there a way to achieve it?
-
0
You can change
AbsoluteRefreshTokenLifetimein database orIdentityServerDataSeedContributor.AbsoluteRefreshTokenLifetime : 31536000(default 365 day) => 1800(30 min)
-
0
This question has been automatically marked as stale because it has not had recent activity.
