Can somebody explain how to implement sliding expiration using the new Owin WS-Federation plugin?
On the client side, at WS-Fedeartion configuration I see that there are some events like :
Notifications = new WsFederationAuthenticationNotifications
{
SecurityTokenReceived = ...,
AuthenticationFailed = ...,
RedirectToIdentityProvider = ...,
MessageReceived = ...,
SecurityTokenValidated = ....
},
But because the lack of documentation I can't really figure it out where an how?
At the moment my STS is issuing tokens with absolute expiration:
protected override Lifetime GetTokenLifetime(Lifetime requestLifetime)
{
// 5 Minutes for token lifetime
var lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(5));
return lifetime;
}
Any help is higly appreciated.
TL;DR: set
WsFederationAuthenticationOptions.UseTokenLifetime
tofalse
, to re-enable sliding expiration.In OWIN/Katana, the sliding expiration concept is limited to the cookies middleware and is enabled by default (you can turn it off by setting
CookieAuthenticationOptions.SlidingExpiration
tofalse
: https://katanaproject.codeplex.com/SourceControl/latest#src/Microsoft.Owin.Security.Cookies/CookieAuthenticationOptions.cs).When you use
app.UseWsFederationAuthentication
(orapp.UseOpenIdConnectAuthentication
), it actually relies on another middleware to persist theClaimsIdentity
when you complete the authentication flow. This "persistence delegation" can be configured through theSignInAsAuthenticationType
or viaapp.SetDefaultSignInAsAuthenticationType
.Typically, this
SignInAsAuthenticationType
property corresponds to a cookie middleware: this way, sliding expiration is not managed at the WS-Federation middleware level, but by the cookies middleware, that will automatically renew the authentication cookie when sliding expiration conditions are met. In this scenario, the authentication token issued by your identity provider won't be renewed. For this to work, you need to setWsFederationAuthenticationOptions.UseTokenLifetime
tofalse
, because when you use the default value, sliding expiration is disabled and the cookie lifetime matches the token lifetime.If you use WS-Fed for authentication purposes (i.e you just want to know who your users are), using sliding expiration is probably a good idea. But if you need to make some API calls on a remote server, your users may end up being authenticated for a long time, far after the expiration of their security token.