-
Notifications
You must be signed in to change notification settings - Fork 598
Change UseTokenLifetime default to false in OIDC Middleware #147
Comments
The token issued by the identity provider carries a |
I think the complaint is that with OIDC, id_tokens tend to use a very short expiration (like 5-15 minutes) which is just enough time to deliver the id_token to the client. It's then up to the client to determine how long to issue a cookie for based upon the authentication. Some apps might choose 1h, others 20 mins sliding expiration. Point being, it's somewhat painful to have to configure the expiration on the cookie middleware and then configure a different flag on the OIDC middleware to to actually honor the settings configured on the cookie middleware. |
👍 |
I am new to OIDC and relatively new to OWIN, but everything I heard was that id token is independent of client auth cookies/lifetimes, so I spent two painful days trying to figure out exactly what was going on in the MW pieces that was causing the auth session to expire, and finally found this. Fully admitting it may not take everyone as long as it took me :) I still think it is very confusing that this flag basically negates cookies config settings by default. |
I think this default behavior comes from the fact that the OIDC middleware and the WS-Federation middleware should have a harmonized behavior. But they are two fundamentially different protocols - in WS-Fed the bootstrap was often kept around because it was needed for delegation (aka act as). So WIF used the token lifetime to set the lifetime of the session authentication token. In OIDC this delegation step does not exist and therefore id_token lifetime can be really short. I can see the issue - but i also think that UseTokenLifetime is for most use cases set to the wrong default value for OIDC. |
We believe the default of
|
I think the 3 people here on this issue were disagreeing with that default. Default to |
For posterity, what I found most confusing about this was that I can set a cookie lifetime in my cookie options:
But if I don't know to override the OIDC defaults, that
That behavior seems incredibly opaque to me. Not sure if it could be helped by different naming, or what, but it seems like it will be a common misunderstanding in practice, though I don't profess to understand the majority of use cases. |
Will discuss again in our next Security repo mtg. |
Cool, thanks! |
We have decided to change the default value to |
Great - thanks for reconsidering, sorry I wasn't as clear in the initial description. |
😄 |
yay |
I find this really confusing. If you've configured your cookies auth MW to have a timeout with sliding expiration, and are using OIDC, by default your cookies settings overwritten by the OIDC Identity Token's lifetime. It seems to me this would be much clearer to default to false. But maybe there is a valid reason?
The text was updated successfully, but these errors were encountered: