From 45bd2497f3bc6783895ecb98b252348e85896b26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Chalet?= Date: Fri, 30 May 2025 19:19:49 +0200 Subject: [PATCH] Update the samples to clarify the relationship between the expiration of the authentication results returned by OpenIddict and the lifetime of authentication cookies based on them --- .../Controllers/AuthenticationController.cs | 20 ++++++++++++++++++- .../Controllers/AuthenticationController.cs | 20 ++++++++++++++++++- .../Controllers/AuthenticationController.cs | 19 +++++++++++++++++- .../Controllers/AuthenticationController.cs | 19 +++++++++++++++++- 4 files changed, 74 insertions(+), 4 deletions(-) diff --git a/sandbox/OpenIddict.Sandbox.AspNet.Client/Controllers/AuthenticationController.cs b/sandbox/OpenIddict.Sandbox.AspNet.Client/Controllers/AuthenticationController.cs index bf14e2d2e..a27103b30 100644 --- a/sandbox/OpenIddict.Sandbox.AspNet.Client/Controllers/AuthenticationController.cs +++ b/sandbox/OpenIddict.Sandbox.AspNet.Client/Controllers/AuthenticationController.cs @@ -195,7 +195,25 @@ or Claims.Private.RegistrationId or Claims.Private.ProviderName OpenIddictClientOwinConstants.Tokens.BackchannelAccessToken or OpenIddictClientOwinConstants.Tokens.BackchannelIdentityToken or OpenIddictClientOwinConstants.Tokens.RefreshToken) - .ToDictionary(pair => pair.Key, pair => pair.Value)); + .ToDictionary(pair => pair.Key, pair => pair.Value)) + { + // Set the creation and expiration dates of the ticket to null to decorrelate the lifetime + // of the resulting authentication cookie from the lifetime of the identity token returned by + // the authorization server (if applicable). In this case, the expiration date time will be + // automatically computed by the cookie handler using the lifetime configured in the options. + // + // Applications that prefer binding the lifetime of the ticket stored in the authentication cookie + // to the identity token returned by the identity provider can remove or comment these two lines: + IssuedUtc = null, + ExpiresUtc = null, + + // Note: this flag controls whether the authentication cookie that will be returned to the + // browser will be treated as a session cookie (i.e destroyed when the browser is closed) + // or as a persistent cookie. In both cases, the lifetime of the authentication ticket is + // always stored as protected data, preventing malicious users from trying to use an + // authentication cookie beyond the lifetime of the authentication ticket itself. + IsPersistent = false + }; context.Authentication.SignIn(properties, identity); return Redirect(properties.RedirectUri ?? "/"); diff --git a/sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthenticationController.cs b/sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthenticationController.cs index 58fc48614..f40c1fd83 100644 --- a/sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthenticationController.cs +++ b/sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthenticationController.cs @@ -86,7 +86,25 @@ or Claims.Private.RegistrationId or Claims.Private.ProviderName // If needed, the tokens returned by the authorization server can be stored in the authentication cookie. OpenIddictClientOwinConstants.Tokens.BackchannelAccessToken or OpenIddictClientOwinConstants.Tokens.RefreshToken) - .ToDictionary(pair => pair.Key, pair => pair.Value)); + .ToDictionary(pair => pair.Key, pair => pair.Value)) + { + // Set the creation and expiration dates of the ticket to null to decorrelate the lifetime + // of the resulting authentication cookie from the lifetime of the identity token returned by + // the authorization server (if applicable). In this case, the expiration date time will be + // automatically computed by the cookie handler using the lifetime configured in the options. + // + // Applications that prefer binding the lifetime of the ticket stored in the authentication cookie + // to the identity token returned by the identity provider can remove or comment these two lines: + IssuedUtc = null, + ExpiresUtc = null, + + // Note: this flag controls whether the authentication cookie that will be returned to the + // browser will be treated as a session cookie (i.e destroyed when the browser is closed) + // or as a persistent cookie. In both cases, the lifetime of the authentication ticket is + // always stored as protected data, preventing malicious users from trying to use an + // authentication cookie beyond the lifetime of the authentication ticket itself. + IsPersistent = false + }; context.Authentication.SignIn(properties, identity); return Redirect(properties.RedirectUri ?? "/"); diff --git a/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Controllers/AuthenticationController.cs b/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Controllers/AuthenticationController.cs index de3ec8ef3..19a47490f 100644 --- a/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Controllers/AuthenticationController.cs +++ b/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Controllers/AuthenticationController.cs @@ -199,7 +199,24 @@ public async Task LogInCallback() // Build the authentication properties based on the properties that were added when the challenge was triggered. var properties = new AuthenticationProperties(result.Properties.Items) { - RedirectUri = result.Properties.RedirectUri ?? "/" + RedirectUri = result.Properties.RedirectUri ?? "/", + + // Set the creation and expiration dates of the ticket to null to decorrelate the lifetime + // of the resulting authentication cookie from the lifetime of the identity token returned by + // the authorization server (if applicable). In this case, the expiration date time will be + // automatically computed by the cookie handler using the lifetime configured in the options. + // + // Applications that prefer binding the lifetime of the ticket stored in the authentication cookie + // to the identity token returned by the identity provider can remove or comment these two lines: + IssuedUtc = null, + ExpiresUtc = null, + + // Note: this flag controls whether the authentication cookie that will be returned to the + // browser will be treated as a session cookie (i.e destroyed when the browser is closed) + // or as a persistent cookie. In both cases, the lifetime of the authentication ticket is + // always stored as protected data, preventing malicious users from trying to use an + // authentication cookie beyond the lifetime of the authentication ticket itself. + IsPersistent = false }; // If needed, the tokens returned by the authorization server can be stored in the authentication cookie. diff --git a/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthenticationController.cs b/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthenticationController.cs index 3a59d2581..593fad196 100644 --- a/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthenticationController.cs +++ b/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthenticationController.cs @@ -90,7 +90,24 @@ public async Task LogInCallback() // Build the authentication properties based on the properties that were added when the challenge was triggered. var properties = new AuthenticationProperties(result.Properties.Items) { - RedirectUri = result.Properties.RedirectUri ?? "/" + RedirectUri = result.Properties.RedirectUri ?? "/", + + // Set the creation and expiration dates of the ticket to null to decorrelate the lifetime + // of the resulting authentication cookie from the lifetime of the identity token returned by + // the authorization server (if applicable). In this case, the expiration date time will be + // automatically computed by the cookie handler using the lifetime configured in the options. + // + // Applications that prefer binding the lifetime of the ticket stored in the authentication cookie + // to the identity token returned by the identity provider can remove or comment these two lines: + IssuedUtc = null, + ExpiresUtc = null, + + // Note: this flag controls whether the authentication cookie that will be returned to the + // browser will be treated as a session cookie (i.e destroyed when the browser is closed) + // or as a persistent cookie. In both cases, the lifetime of the authentication ticket is + // always stored as protected data, preventing malicious users from trying to use an + // authentication cookie beyond the lifetime of the authentication ticket itself. + IsPersistent = false }; // If needed, the tokens returned by the authorization server can be stored in the authentication cookie.