How can I modify the OpenId default token expire time?

[RockNHawk]

How can I modify the OpenId defualt token expire time?

In old version of Orchard Core, I cant call SetAccessTokenLifetime in AccessController, but now it's more complex than old version, I could not find where I can modify the OpenId token lifetime.

ticket.SetAccessTokenLifetime(TimeSpan.FromDays(365));

[jtkech]

Duplicate of #7035

[jtkech]

Oops didn't see that #7035 is a discussion, not an issue, reopen it

[RockNHawk]

@jtkech I have deleted the discussion, it's a mistake...

[hishamco]

Converted it again to discussion

[RockNHawk]

Any people know ?

[RockNHawk]

I resolved this issue , add an principal.SetAccessTokenLifetime call before SingIn.

principal.SetAccessTokenLifetime(TimeSpan.FromDays(1));

return SignIn(principal,OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);

---

{"access_token":"...","token_type":"Bearer","expires_in":315360000,"scope":"offline_access"}

[kevinchalet]

FWIW, using such a long expiration date is a very bad idea and something I'd strongly discourage.

Why not using refresh tokens?

[RockNHawk]

just an example :-)

[hyzx86]

Is there any way we can extend the expiration time on this issue without modifying the OrchardCore source code?
For example, there are a lot of websites that have a login option called "Remember me."

[hyzx86]

The default time is 1 hour, which is really short,
A short story: I have been writing my blog for two hours, and when I click Submit, the system directly jumps to the landing page. Everything that hasn't been saved is lost
Especially if you log in using password,
@kevinchalet mentioned using refresh_token, but when the grant_type is password will does not include refresh_token
Can we check whether the Token has expired before submission? If so, use the expired Token together with refresh_token to refresh a new Token? And then continue to submit?

[hyzx86]

The token life cycle is fine, but if you want to implement refreshing tokens, you need some extra work。

    internal class UserTokenLifeTimeClaimsProvider : IUserClaimsProvider
    {
        private readonly IHttpContextAccessor _httpContextAccessor;

        public UserTokenLifeTimeClaimsProvider(IHttpContextAccessor httpContextAccessor)
        {
            _httpContextAccessor = httpContextAccessor;
        }

        public Task GenerateAsync(IUser user, ClaimsIdentity claims)
        {
            var lifeTime = TimeSpan.FromHours(10);
            if (_httpContextAccessor.HttpContext.Request.Form["rememberme"] == "true")
            {
                lifeTime = TimeSpan.FromDays(7);
            }
            claims.AddClaim(new Claim("oi_act_lft",
               lifeTime.TotalSeconds.ToString(CultureInfo.InvariantCulture)));
            return Task.FromResult(claims);
        }

    }

[hyzx86]

@RockNHawk this is right way 😉

[hyzx86]

UserTokenLifeTimeClaimsProvider will be implemented in the process of each request 😢

[RockNHawk]

@RockNHawk this is right way 😉

Thanks a lot, you are awesome!

[HengzheLi]

So is oi_act_lft a special claim name to customize the token life time? Has a document/specification for it?

[hyzx86]

Oh, I was wrong about one thing,
You do not need to change the expiration time of the Token
Password authorization can also obtain refresh_token

1. Enable Allow Refresh Token Flow
2. Then add offline_access to the scope in the token request