The Azure Training Kit includes a lab titled "IntroToACS2". In it, you create a WebRole and enable ACS so that you can login using your Google, Live, or Yahoo id. After logging in, if I wait 10 minutes or so and then refresh the page, I'm redirected back to the login page.
How can I increase the Azure ACS login timeout?
Here's what I found:
http://msdn.microsoft.com/en-us/library/gg185906.aspx#BKMK_5
Token Lifetime
The Token lifetime property allows you to specify the amount of time for a security token issued by ACS to the relying party application to remain valid. By default, in ACS, this value is set to 10 minutes (600 seconds). In ACS, this value must be greater than zero but less than or equal to 24 hours (86400 seconds).
While the maximum lifetime is 24 hours it's possible to automatically renew the ACS token by adding the following 6 lines of code in ShowSigninPage function, just before the existing loop over identityProviders:
for (var i in identityProviders) {
if (cookieName !== null && cookieName == identityProviders[i].Name) {
window.location = identityProviders[i].LoginUrl;
return null;
} }
// Loop through the identity providers for (var i in identityProviders) {
...
For more info the automatic renewal approach see: http://social.msdn.microsoft.com/Forums/en-US/windowsazuresecurity/thread/0430c4aa-ab10-4a72-b115-91b2600bfcd0
I think what you really want is to increase your application's session lifetime, and not the ACS issued token lifetime.
How do I increase session timeout with W.I.F / SAML tokens / FedAuth cookie
Related
I'm trying to fetch remote config values on first login (and not only after minimumFetchIntervalMillis expires), this is what i do (pseudo):
yield firebaseConfig.setConfigSettings(15 mins)
yield firebaseConfig.setDefaults()
yield firebaseConfig.fetchAndActivate().then(print values)
But i do not get the correct config for the user, just the server default.
Is there a valid way to do that?
I was thinking about setting minimumFetchIntervalMillis to zero on first login and after config was fetched to set it to 15 mins but i'm not sure that's the best approach for this.
Any ideas?
Set the minimumFetchIntervalMillis to 0 for the initial retrieve request if you wish to fetch new configuration data immediately after logging in rather than waiting for the minimumFetchIntervalMillis duration to elapse. This can lead to more requests being sent to the server more often, which could harm the performance of app and raise server expenses.
firebaseConfig.settings.minimumFetchIntervalMillis = 0;
firebaseConfig.fetchAndActivate().then(() => {
console.log(firebaseConfig.getAll());
firebaseConfig.settings.minimumFetchIntervalMillis = 15 * 60 * 1000;
});
The above sample code retrieves the remote configuration with a minimumFetchIntervalMillis of 0, activates it, then outputs the values it has fetched. The minimumFetchIntervalMillis is 15 milliseconds after the initial fetch.
We want to try to reduce the life time of our OAuthAccessTokens (generated by an WSO2 API Manager JWT Grant). We tried to do it in the application by setting the 'Validity Period', by changing the AccessTokenDefaultValidityPeriod in the identity.xml file, by changing the time settings in the service provider but nothing changed the validity period of the token. It stays always at 3600 seconds.
Can anyone give us a hint and with which attributes to change the expiration time of the OAuthAccessTokens?
Regards
Edmund
I have a web api project that is using idenity server. Would like to make the default timeout expire to configurable (15mins) which is defaulted to 1 hour now. I see few approaches using cookies in start up. But want to set the token expiration without using cookies. any help?
You can change the timeout for Access tokens and Identity tokens by modifying the Client's AccessTokenLifetime and IdentityTokenLifetime properties:
new IdentityServer4.Models.Client {
.
.
ClientId = "your-application",
IdentityTokenLifetime = 900,
AccessTokenLifetime = 900
}
I'm using Firebase Auth to have users authenticate using their Google Account. I found the token returned by firebase.auth().currentUser.getIdToken is only valid for 1 hour. To allow the session to last longer I tried creating a session cookie as outlined in Manage Session Cookies:
const expiresIn = 60 * 60 * 24 * 5 * 1000;
admin.auth().createSessionCookie(idToken, {expiresIn}).then((sessionCookie) => {
const options = {maxAge: expiresIn, httpOnly: true, secure: true};
res.cookie('session', sessionCookie, options);
res.end(JSON.stringify({status: 'success'});
}
This code successfully created a session cookie and subsequent requests could be verified using admin.auth().verifySessionCookie. All was well until I tried increasing the expiresIn duration. It turns out that Firebase session cookies have a maximum expiration time of 2 weeks. From the docs:
Ability to create session cookies with custom expiration times ranging from 5 minutes to 2 weeks.
For this project I would prefer to have a user log in once and stay logged in. I tried extending the session on every interaction with the server but I didn't find any official documentation on how to do that. It seemed to make sense to call admin.auth().createSessionCookie on the server using the token returned by admin.auth().verifySessionCookie, but that failed with this error:
Failed to extend session: { Error: An internal error has occurred. Raw server response: "{"error":{"code":400,"message":"Invalid value at 'valid_duration' (TYPE_INT64), 604.8","errors":[{"message":"Invalid value at 'valid_duration' (TYPE_INT64), 604.8","domain":"global","reason":"badRequest"}],"status":"INVALID_ARGUMENT"}}"`enter code here`
at FirebaseAuthError.Error (native)
at FirebaseAuthError.FirebaseError [as constructor] (/user_code/node_modules/firebase-admin/lib/utils/error.js:39:28)
at FirebaseAuthError.PrefixedFirebaseError [as constructor] (/user_code/node_modules/firebase-admin/lib/utils/error.js:85:28)
at new FirebaseAuthError (/user_code/node_modules/firebase-admin/lib/utils/error.js:143:16)
at Function.FirebaseAuthError.fromServerError (/user_code/node_modules/firebase-admin/lib/utils/error.js:173:16)
at /user_code/node_modules/firebase-admin/lib/auth/auth-api-request.js:726:49
at process._tickDomainCallback (internal/process/next_tick.js:135:7)
errorInfo:
{ code: 'auth/internal-error',
message: 'An internal error has occurred. Raw server response: "{"error":{"code":400,"message":"Invalid value at \'valid_duration\' (TYPE_INT64), 604.8","errors":[{"message":"Invalid value at \'valid_duration\' (TYPE_INT64), 604.8","domain":"global","reason":"badRequest"}],"status":"INVALID_ARGUMENT"}}"' },
codePrefix: 'auth' }
Is it possible to extend Firebase sessions on the server side without requiring the client to do any work? Is it possible to use Firebase auth with tokens with a longer lifespan than 2 weeks? If not, in there a standard approach on how to achieve incredibly long lived sessions?
Extending it too long can be risky, as if the cookie is leaked, the window of attack will be quite wide. I don't recommend extending the session longer but if this is a requirement, you could try to do the following:
after verifying the session cookie on your server for the user and noticing it is about to expire.
mint a custom token for that user ID with Admin SDK
signInWithCustomToken with that custom token.
user.getIdToken() to get new ID token.
Exchange that ID token for a new session cookie.
The downside is that the claims in the session cookie will correspond to a custom token user.
Notice for client side sessions, the ID token passed around has one hour duration, even though the session is indefinite. This is because a refresh token lives on the device and is used to exchange new ID tokens. At any time, only the ID token is transmitted limiting the window of attack to one hour if that token is leaked.
I think it would be useful for Firebase Auth to offer an active duration functionality. That would be better for extending sessions continuously in short increments. This would be better than minting an indefinite or very long cookie. An active user would constantly have their session extended. This is not offered by Firebase Auth but you can file a feature request for it.
I'm facing a strange issue in Asp Dot Net Identity API 2.0 API.
When an user signs up, I send a confirmation email to the user. And if the user confirms his / her account within 15 mins of signing up, the "ConfirmEmailAsync" method seems to be working.
But after 15 mins, if I try to confirm the email address, I'm getting a "Invalid Token" error.
Is there a way to set the token expiry time?
A really frustrating issue and it's becoming very hard to troubleshoot.
Can anyone help please?
Change the code in the Create method(App_Start\IdentityConfig.cs file).
if (dataProtectionProvider != null)
{
manager.UserTokenProvider =
new DataProtectorTokenProvider<ApplicationUser>
(dataProtectionProvider.Create("ASP.NET Identity"))
{
TokenLifespan = TimeSpan.FromHours(3)
};
}
source: http://www.asp.net/identity/overview/features-api/account-confirmation-and-password-recovery-with-aspnet-identity