I'm securing a web app with identity server 3. My app is split into 2 oidc clients a ASP.Net MVC client and a javascript(angular) client which uses the oidc-client javascript library.

When a user first visits the web app we redirect for log in to identity server, which logs in the mvc client. The javascript client is then logged in using the silent login feature from the oidc-library.

I would like to control how often the user has to visit the logon page to sign in again and I would like to set this so that users have to visit the logon page either once a day or every 8 hours.

Is there a setting in identity server that controls how long the user session is active without having to sign in again.

I have searched the docs and found a number of Lifetime settings but its not clear which of these I should be using and so far trial & error hasn't yielded any results.

What you are looking to control is the lifetime for the cookie IdentityServer itself issues. Once this cookie expires, the next time one of the client applications need to authenticate again, the user will need to reenter their credentials.

This cookie lifetime is controlled in the CookieOption found in the AuthenticationOptions of the IdentityServerOptions (see below) and defaults to 10 hours.

var options = new IdentityServerOptions
{
    Factory = factory,
    SigningCertificate = Cert.Load(),
    AuthenticationOptions = new AuthenticationOptions
    {
        CookieOptions = new IdentityServer3.Core.Configuration.CookieOptions
        {
            ExpireTimeSpan = TimeSpan.FromHours(24)
        }
    }
};