yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V14: Apply sliding window token expiry based on the configured max login lifetime (#16028)

Browse Source 
* Consider max login lifetime with access and refresh tokens

* Adding clarification comment

* Updated comment and added a little explanation for future clarity

---------

Co-authored-by: kjac <kja@umbraco.dk>
This commit is contained in:
Elitsa Marinovska
2024-04-18 08:24:58 +02:00
committed by GitHub
parent e20e001c12
commit e33d7a779d
1 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs
View File

@@ -1,11 +1,12 @@
using Microsoft.Extensions.DependencyInjection;
using System.Security.Cryptography;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Tokens;
using Umbraco.Cms.Api.Common.Security;
using Umbraco.Cms.Core;
using Umbraco.Cms.Core.Configuration.Models;
using Umbraco.Cms.Core.DependencyInjection;
using Umbraco.Cms.Infrastructure.BackgroundJobs.Jobs;
using Umbraco.Cms.Infrastructure.HostedServices;
using Umbraco.Extensions;
namespace Umbraco.Cms.Api.Common.DependencyInjection;
@@ -62,6 +63,17 @@ public static class UmbracoBuilderAuthExtensions
.UseReferenceAccessTokens()
.UseReferenceRefreshTokens();
// Apply sliding window expiry based on the configured max login lifetime
GlobalSettings globalSettings = builder.Config
.GetSection(Constants.Configuration.ConfigGlobal)
.Get<GlobalSettings>() ?? new GlobalSettings();
TimeSpan timeOut = globalSettings.TimeOut;
// Make the access token lifetime 25% of the refresh token lifetime, to help ensure that new access tokens
// are obtained by the client before the refresh token expires.
options.SetAccessTokenLifetime(new TimeSpan(timeOut.Ticks / 4));
options.SetRefreshTokenLifetime(timeOut);
// Use ASP.NET Core Data Protection for tokens instead of JWT.
// This is more secure, and has the added benefit of having a high throughput
// but means that all servers (such as in a load balanced setup)