owinkatanaws-federationsts-securitytokenservice

Owin WS-Federation setting up token sliding expiration


Can somebody explain how to implement sliding expiration using the new Owin WS-Federation plugin?

On the client side, at WS-Fedeartion configuration I see that there are some events like :

  Notifications = new WsFederationAuthenticationNotifications
            {
                SecurityTokenReceived = ...,
                AuthenticationFailed = ...,
                RedirectToIdentityProvider = ...,
                MessageReceived = ...,
                SecurityTokenValidated = ....
            },

But because the lack of documentation I can't really figure it out where an how?

At the moment my STS is issuing tokens with absolute expiration:

 protected override Lifetime GetTokenLifetime(Lifetime requestLifetime)
 {
        // 5 Minutes for token lifetime
        var lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(5));
        return lifetime;
 }

Any help is higly appreciated.


Solution

  • TL;DR: set WsFederationAuthenticationOptions.UseTokenLifetime to false, to re-enable sliding expiration.

    In OWIN/Katana, the sliding expiration concept is limited to the cookies middleware and is enabled by default (you can turn it off by setting CookieAuthenticationOptions.SlidingExpiration to false: https://katanaproject.codeplex.com/SourceControl/latest#src/Microsoft.Owin.Security.Cookies/CookieAuthenticationOptions.cs).

    When you use app.UseWsFederationAuthentication (or app.UseOpenIdConnectAuthentication), it actually relies on another middleware to persist the ClaimsIdentity when you complete the authentication flow. This "persistence delegation" can be configured through the SignInAsAuthenticationType or via app.SetDefaultSignInAsAuthenticationType.

    Typically, this SignInAsAuthenticationType property corresponds to a cookie middleware: this way, sliding expiration is not managed at the WS-Federation middleware level, but by the cookies middleware, that will automatically renew the authentication cookie when sliding expiration conditions are met. In this scenario, the authentication token issued by your identity provider won't be renewed. For this to work, you need to set WsFederationAuthenticationOptions.UseTokenLifetime to false, because when you use the default value, sliding expiration is disabled and the cookie lifetime matches the token lifetime.

    If you use WS-Fed for authentication purposes (i.e you just want to know who your users are), using sliding expiration is probably a good idea. But if you need to make some API calls on a remote server, your users may end up being authenticated for a long time, far after the expiration of their security token.