Change UseTokenLifetime default to false in OIDC Middleware

[briandonahue]

I find this really confusing. If you've configured your cookies auth MW to have a timeout with sliding expiration, and are using OIDC, by default your cookies settings overwritten by the OIDC Identity Token's lifetime. It seems to me this would be much clearer to default to false. But maybe there is a valid reason?

[Praburaj]

The token issued by the identity provider carries a expires at field. When this is true (which is by default) the cookie issued after successful authentication aligns with this timeout which makes sense as we honor the expiry time of the IDP. When this is false it takes what ever configurations on the cookie middleware.

[brockallen]

I think the complaint is that with OIDC, id_tokens tend to use a very short expiration (like 5-15 minutes) which is just enough time to deliver the id_token to the client. It's then up to the client to determine how long to issue a cookie for based upon the authentication. Some apps might choose 1h, others 20 mins sliding expiration.

Point being, it's somewhat painful to have to configure the expiration on the cookie middleware and then configure a different flag on the OIDC middleware to to actually honor the settings configured on the cookie middleware.

[briandonahue]

👍

[briandonahue]

I am new to OIDC and relatively new to OWIN, but everything I heard was that id token is independent of client auth cookies/lifetimes, so I spent two painful days trying to figure out exactly what was going on in the MW pieces that was causing the auth session to expire, and finally found this. Fully admitting it may not take everyone as long as it took me :) I still think it is very confusing that this flag basically negates cookies config settings by default.

[leastprivilege]

I think this default behavior comes from the fact that the OIDC middleware and the WS-Federation middleware should have a harmonized behavior.

But they are two fundamentially different protocols - in WS-Fed the bootstrap was often kept around because it was needed for delegation (aka act as). So WIF used the token lifetime to set the lifetime of the session authentication token.

In OIDC this delegation step does not exist and therefore id_token lifetime can be really short.

I can see the issue - but i also think that UseTokenLifetime is for most use cases set to the wrong default value for OIDC.

[Eilon]

We believe the default of true is overall the safest:

• When using ASP.NET Identity, it will replace the cookie with its own cookie that has its own expiration rules
• When using OIDC is the primary authentication, the value of true is presumably what people want.

[brockallen]

When using OIDC is the primary authentication, the value of true is presumably what people want.

I think the 3 people here on this issue were disagreeing with that default. Default to true is what might work best with Azure AD, but it somewhat shields developers (in a bad way) from thinking about the issue and deciding for themselves. I guess since the issue is closed, it's moot.

[briandonahue]

For posterity, what I found most confusing about this was that I can set a cookie lifetime in my cookie options:

  app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
      ...
      ExpireTimeSpan = new TimeSpan(4, 0, 0),
      SlidingExpiration = true,
    });

But if I don't know to override the OIDC defaults, that ExpireTimeSpan is ignored/overwritten.

 app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
   {
     ...
     UseTokenLifetime = false, // have to know to do this for ExpireTimeSpan to be respected
     ...
   });

That behavior seems incredibly opaque to me. Not sure if it could be helped by different naming, or what, but it seems like it will be a common misunderstanding in practice, though I don't profess to understand the majority of use cases.

[Eilon]

Will discuss again in our next Security repo mtg.

[briandonahue]

Cool, thanks!

[Eilon]

We have decided to change the default value to false!

[briandonahue]

Great - thanks for reconsidering, sorry I wasn't as clear in the initial description.

[Eilon]

😄

[leastprivilege]

yay