I am building an app, which is a Javascript SPA with Asp.net mvc controllers in the backend. I am trying to use IdentityServer for authentication. I have authorize attribute on my controllers. One of the requirements I have is that the user's session should be expired in a certain amount of time(if no activity, user should be prompted to login). The implicit flow does not work for me because of security restrictions. I grabbed the Identity4 samples https://github.com/IdentityServer/IdentityServer4.Samples and tried using the cookieauthentication middleware, setting the ExpireTimeSpan to see if that expires the cookie. Somehow even after the expiration of the timespan specified, I am still able to make a call into the controllers. How can I accomplish something similar to a asp.net session timeout with Identity Server and Asp.net mvc?

It is known issue see https://github.com/aspnet/Security/pull/893, fixed for 1.1.0.

Wait 1.1.0 version or use OnTokenValidated to set expire property:

OnTokenValidated = async (context) =>
{
     context.Properties.ExpiresUtc = <expire>;
     await Task.FromResult(0);
}

Also see for another solution: https://github.com/aspnet/Security/issues/855#issuecomment-229495399