Update the samples to clarify the relationship between the expiration of the authentication results returned by OpenIddict and the lifetime of authentication cookies based on them

Author: kevinchalet

sandbox/OpenIddict.Sandbox.AspNet.Client/Controllers/AuthenticationController.cs

@@ -195,7 +195,25 @@ or Claims.Private.RegistrationId or Claims.Private.ProviderName
                 OpenIddictClientOwinConstants.Tokens.BackchannelAccessToken   or
                 OpenIddictClientOwinConstants.Tokens.BackchannelIdentityToken or
                 OpenIddictClientOwinConstants.Tokens.RefreshToken)
-            .ToDictionary(pair => pair.Key, pair => pair.Value));
+            .ToDictionary(pair => pair.Key, pair => pair.Value))
+        {
+            // Set the creation and expiration dates of the ticket to null to decorrelate the lifetime
+            // of the resulting authentication cookie from the lifetime of the identity token returned by
+            // the authorization server (if applicable). In this case, the expiration date time will be
+            // automatically computed by the cookie handler using the lifetime configured in the options.
+            //
+            // Applications that prefer binding the lifetime of the ticket stored in the authentication cookie
+            // to the identity token returned by the identity provider can remove or comment these two lines:
+            IssuedUtc = null,
+            ExpiresUtc = null,
+
+            // Note: this flag controls whether the authentication cookie that will be returned to the
+            // browser will be treated as a session cookie (i.e destroyed when the browser is closed)
+            // or as a persistent cookie. In both cases, the lifetime of the authentication ticket is
+            // always stored as protected data, preventing malicious users from trying to use an
+            // authentication cookie beyond the lifetime of the authentication ticket itself.
+            IsPersistent = false
+        };
 
         context.Authentication.SignIn(properties, identity);
         return Redirect(properties.RedirectUri ?? "/");

sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthenticationController.cs

@@ -86,7 +86,25 @@ or Claims.Private.RegistrationId or Claims.Private.ProviderName
                 // If needed, the tokens returned by the authorization server can be stored in the authentication cookie.
                 OpenIddictClientOwinConstants.Tokens.BackchannelAccessToken or
                 OpenIddictClientOwinConstants.Tokens.RefreshToken)
-            .ToDictionary(pair => pair.Key, pair => pair.Value));
+            .ToDictionary(pair => pair.Key, pair => pair.Value))
+        {
+            // Set the creation and expiration dates of the ticket to null to decorrelate the lifetime
+            // of the resulting authentication cookie from the lifetime of the identity token returned by
+            // the authorization server (if applicable). In this case, the expiration date time will be
+            // automatically computed by the cookie handler using the lifetime configured in the options.
+            //
+            // Applications that prefer binding the lifetime of the ticket stored in the authentication cookie
+            // to the identity token returned by the identity provider can remove or comment these two lines:
+            IssuedUtc = null,
+            ExpiresUtc = null,
+
+            // Note: this flag controls whether the authentication cookie that will be returned to the
+            // browser will be treated as a session cookie (i.e destroyed when the browser is closed)
+            // or as a persistent cookie. In both cases, the lifetime of the authentication ticket is
+            // always stored as protected data, preventing malicious users from trying to use an
+            // authentication cookie beyond the lifetime of the authentication ticket itself.
+            IsPersistent = false
+        };
 
         context.Authentication.SignIn(properties, identity);
         return Redirect(properties.RedirectUri ?? "/");

sandbox/OpenIddict.Sandbox.AspNetCore.Client/Controllers/AuthenticationController.cs

@@ -199,7 +199,24 @@ public async Task<ActionResult> LogInCallback()
         // Build the authentication properties based on the properties that were added when the challenge was triggered.
         var properties = new AuthenticationProperties(result.Properties.Items)
         {
-            RedirectUri = result.Properties.RedirectUri ?? "/"
+            RedirectUri = result.Properties.RedirectUri ?? "/",
+
+            // Set the creation and expiration dates of the ticket to null to decorrelate the lifetime
+            // of the resulting authentication cookie from the lifetime of the identity token returned by
+            // the authorization server (if applicable). In this case, the expiration date time will be
+            // automatically computed by the cookie handler using the lifetime configured in the options.
+            //
+            // Applications that prefer binding the lifetime of the ticket stored in the authentication cookie
+            // to the identity token returned by the identity provider can remove or comment these two lines:
+            IssuedUtc = null,
+            ExpiresUtc = null,
+
+            // Note: this flag controls whether the authentication cookie that will be returned to the
+            // browser will be treated as a session cookie (i.e destroyed when the browser is closed)
+            // or as a persistent cookie. In both cases, the lifetime of the authentication ticket is
+            // always stored as protected data, preventing malicious users from trying to use an
+            // authentication cookie beyond the lifetime of the authentication ticket itself.
+            IsPersistent = false
         };
 
         // If needed, the tokens returned by the authorization server can be stored in the authentication cookie.

sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthenticationController.cs

@@ -90,7 +90,24 @@ public async Task<ActionResult> LogInCallback()
         // Build the authentication properties based on the properties that were added when the challenge was triggered.
         var properties = new AuthenticationProperties(result.Properties.Items)
         {
-            RedirectUri = result.Properties.RedirectUri ?? "/"
+            RedirectUri = result.Properties.RedirectUri ?? "/",
+
+            // Set the creation and expiration dates of the ticket to null to decorrelate the lifetime
+            // of the resulting authentication cookie from the lifetime of the identity token returned by
+            // the authorization server (if applicable). In this case, the expiration date time will be
+            // automatically computed by the cookie handler using the lifetime configured in the options.
+            //
+            // Applications that prefer binding the lifetime of the ticket stored in the authentication cookie
+            // to the identity token returned by the identity provider can remove or comment these two lines:
+            IssuedUtc = null,
+            ExpiresUtc = null,
+
+            // Note: this flag controls whether the authentication cookie that will be returned to the
+            // browser will be treated as a session cookie (i.e destroyed when the browser is closed)
+            // or as a persistent cookie. In both cases, the lifetime of the authentication ticket is
+            // always stored as protected data, preventing malicious users from trying to use an
+            // authentication cookie beyond the lifetime of the authentication ticket itself.
+            IsPersistent = false
         };
 
         // If needed, the tokens returned by the authorization server can be stored in the authentication cookie.