diff --git a/docs/en/Modules/OpenIddict.md b/docs/en/Modules/OpenIddict.md index cfa35b7e2c..a47ce798bd 100644 --- a/docs/en/Modules/OpenIddict.md +++ b/docs/en/Modules/OpenIddict.md @@ -414,6 +414,65 @@ https://documentation.openiddict.com/guides/index.html#events-model https://documentation.openiddict.com/configuration/proof-key-for-code-exchange.html +### Setting Tokens Lifetime + +Update `PreConfigureServices` method of AuthServerModule (or HttpApiHostModule if you don't have tiered/separate-authserver) file: + +```csharp +PreConfigure(builder => +{ + builder.SetAuthorizationCodeLifetime(TimeSpan.FromMinutes(30)); + builder.SetAccessTokenLifetime(TimeSpan.FromMinutes(30)); + builder.SetIdentityTokenLifetime(TimeSpan.FromMinutes(30)); + builder.SetRefreshTokenLifetime(TimeSpan.FromDays(14)); +}); +``` + +### Refresh Token + +To use refresh token, it must be supported by OpenIddictServer and the `refresh_token` must be requested by the application. + +> **Note:** Angular application is already configured to use `refresh_token`. + +#### Configuring OpenIddictServer + +Update the **OpenIddictDataSeedContributor**, add `OpenIddictConstants.GrantTypes.RefreshToken` to grant types in `CreateApplicationAsync` method: + +```csharp +await CreateApplicationAsync( + ... + grantTypes: new List //Hybrid flow + { + OpenIddictConstants.GrantTypes.AuthorizationCode, + OpenIddictConstants.GrantTypes.Implicit, + OpenIddictConstants.GrantTypes.RefreshToken, + }, + ... +``` + +> **Note:** You need to re-create this client if you have generated the database already. + +#### Configuring Application: + +You need to request the **offline_access scope** to be able to receive `refresh_token`. + +In **Razor/MVC, Blazor-Server applications**, add `options.Scope.Add("offline_access");` to **OpenIdConnect** options. These application templates are using cookie authentication by default and has default cookie expire options set as: + +```csharp +.AddCookie("Cookies", options => +{ + options.ExpireTimeSpan = TimeSpan.FromDays(365); +}) +``` + +[Cookie ExpireTimeSpan will ignore access_token expiration](https://learn.microsoft.com/en-us/dotnet/api/Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationOptions.ExpireTimeSpan?view=aspnetcore-7.0&viewFallbackFrom=net-7.0) and expired access_token will still be valid if it is set to higher value than the `refresh_token lifetime`. It is recommended to keep **Cookie ExpireTimeSpan** and the **Refresh Token lifetime** same, hence the new token will be persisted in the cookie. + +In **Blazor wasm** applications, add `options.ProviderOptions.DefaultScopes.Add("offline_access");` to **AddOidcAuthentication** options. + +In **Angular** applications, add `offline_access` to **oAuthConfig** scopes in *environment.ts* file. (Angular applications already have this configuration). + + + ## Demo projects In the module's `app` directory there are six projects(including `angular`)