Added Refresh Token and Setting Token Lifetime section

3 years ago · b49eb899fb
1 changed files with 59 additions and 0 deletions
--- a/docs/en/Modules/OpenIddict.md
+++ b/docs/en/Modules/OpenIddict.md
@ -414,6 +414,65 @@ https://documentation.openiddict.com/guides/index.html#events-model

 https://documentation.openiddict.com/configuration/proof-key-for-code-exchange.html

+### Setting Tokens Lifetime
+
+Update `PreConfigureServices` method of AuthServerModule (or HttpApiHostModule if you don't have tiered/separate-authserver) file:
+
+```csharp
+PreConfigure<OpenIddictServerBuilder>(builder =>
+{
+	builder.SetAuthorizationCodeLifetime(TimeSpan.FromMinutes(30));
+    builder.SetAccessTokenLifetime(TimeSpan.FromMinutes(30));
+    builder.SetIdentityTokenLifetime(TimeSpan.FromMinutes(30));
+    builder.SetRefreshTokenLifetime(TimeSpan.FromDays(14));
+});
+```
+
+### Refresh Token
+
+To use refresh token, it must be supported by OpenIddictServer and the `refresh_token` must be requested by the application.
+
+> **Note:** Angular application is already configured to use `refresh_token`.
+
+#### Configuring OpenIddictServer
+
+Update the **OpenIddictDataSeedContributor**, add `OpenIddictConstants.GrantTypes.RefreshToken` to grant types in `CreateApplicationAsync` method:
+
+```csharp
+await CreateApplicationAsync(
+    ...
+    grantTypes: new List<string> //Hybrid flow
+    {
+        OpenIddictConstants.GrantTypes.AuthorizationCode,
+        OpenIddictConstants.GrantTypes.Implicit,
+        OpenIddictConstants.GrantTypes.RefreshToken,
+    },
+    ...
+```
+
+> **Note:** You need to re-create this client if you have generated the database already.
+
+#### Configuring Application:
+
+You need to request the **offline_access scope** to be able to receive `refresh_token`. 
+
+In **Razor/MVC, Blazor-Server applications**, add `options.Scope.Add("offline_access");` to **OpenIdConnect** options. These application templates are using cookie authentication by default and has default cookie expire options set as:
+
+```csharp
+.AddCookie("Cookies", options =>
+{
+    options.ExpireTimeSpan = TimeSpan.FromDays(365);
+})
+```
+
+[Cookie ExpireTimeSpan will ignore access_token expiration](https://learn.microsoft.com/en-us/dotnet/api/Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationOptions.ExpireTimeSpan?view=aspnetcore-7.0&viewFallbackFrom=net-7.0) and expired access_token will still be valid if it is set to higher value than the `refresh_token lifetime`. It is recommended to keep **Cookie ExpireTimeSpan** and the **Refresh Token lifetime** same, hence the new token will be persisted in the cookie.
+
+In **Blazor wasm** applications, add `options.ProviderOptions.DefaultScopes.Add("offline_access");` to **AddOidcAuthentication** options.
+
+In **Angular** applications, add `offline_access` to **oAuthConfig**  scopes in *environment.ts* file. (Angular applications already have this configuration).
+
+
+
 ## Demo projects

 In the module's `app` directory there are six projects(including `angular`)