Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Resource Owner Flow with Refresh Token sample returns unauthorized after 60 seconds if token not first refreshed #591

Closed
stuartwhiteford opened this issue Nov 27, 2014 · 5 comments
Assignees
Labels

Comments

@stuartwhiteford
Copy link

Hi,

I'm running the Resource Owner Flow with Refresh Token sample against the Identity Server and have a query about calling the IdentityController without first refreshing the token. My modified Main method is as follows:

    static void Main(string[] args)
    {
        _oauth2 = new OAuth2Client(
            new Uri(Constants.TokenEndpoint),
            "roclient",
            "secret");

        var response = RequestToken();
        ShowResponse(response);

        // Console.ReadLine();

        int i = 0;

        while (true)
        {
            //response = RefreshToken(response.RefreshToken);
            //ShowResponse(response);

            // Console.ReadLine();
            CallService(response.AccessToken);

            i += 5000;
            Console.WriteLine("Sleeeping for {0} seconds.", (i / 1000));
            Thread.Sleep(i);
        }
    }

I eventually get a 401 response returned after the thread has gone to sleep for 60 seconds. My question is why 60 seconds? My Client configuration in IdentityServer is as follows:

    ...
    new Client
    {
        ClientName = "Resource Owner Flow Client",
        Enabled = true,
        ClientId = "roclient",
        ClientSecret = "secret",
        Flow = Flows.ResourceOwner,

        ScopeRestrictions = new List<string>
        { 
            "read",
            "write",
            "offline_access"
        },

        AccessTokenType = AccessTokenType.Jwt,
        AccessTokenLifetime = 15,
        AbsoluteRefreshTokenLifetime = 15,
        SlidingRefreshTokenLifetime = 15,

        RefreshTokenUsage = TokenUsage.OneTimeOnly,
        RefreshTokenExpiration = TokenExpiration.Sliding
    }
    ...

Thanks,
Stuart.

@leastprivilege
Copy link
Member

What is your question? Is it why the token does not expire after 15 seconds?

@stuartwhiteford
Copy link
Author

Yes.

@leastprivilege
Copy link
Member

The MS JWT token handler has a clock skew feature to allow for clocks that are not perfectly in sync. This is (IIRC) 5 minutes by default.

@stuartwhiteford
Copy link
Author

Ah OK. Thanks Dominick.

I'm looking to configure this flow to simulate the current behaviour of a Forms Authentication application, i.e. a sliding 30 minute expiration where the user would have to re-authenticate after 30 minutes of inactivity. Is this possible with this flow and, if so, would we be required to refresh the token prior to each new resource call?

Thanks,
Stuart.

@leastprivilege
Copy link
Member

Well - I guess you can use it like this. The expires_in response parameter tells you how long the access token will be valid. Then you know when you have to refresh. If refresh fails the user needs to re-authenticate.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

2 participants