diff --git a/src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs b/src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs index 9d3466b212..b61f842b5a 100644 --- a/src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs +++ b/src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs @@ -1,11 +1,12 @@ -using Microsoft.Extensions.DependencyInjection; using System.Security.Cryptography; +using Microsoft.Extensions.Configuration; +using Microsoft.Extensions.DependencyInjection; using Microsoft.IdentityModel.Tokens; using Umbraco.Cms.Api.Common.Security; using Umbraco.Cms.Core; +using Umbraco.Cms.Core.Configuration.Models; using Umbraco.Cms.Core.DependencyInjection; using Umbraco.Cms.Infrastructure.BackgroundJobs.Jobs; -using Umbraco.Cms.Infrastructure.HostedServices; using Umbraco.Extensions; namespace Umbraco.Cms.Api.Common.DependencyInjection; @@ -62,6 +63,17 @@ public static class UmbracoBuilderAuthExtensions .UseReferenceAccessTokens() .UseReferenceRefreshTokens(); + // Apply sliding window expiry based on the configured max login lifetime + GlobalSettings globalSettings = builder.Config + .GetSection(Constants.Configuration.ConfigGlobal) + .Get() ?? new GlobalSettings(); + TimeSpan timeOut = globalSettings.TimeOut; + + // Make the access token lifetime 25% of the refresh token lifetime, to help ensure that new access tokens + // are obtained by the client before the refresh token expires. + options.SetAccessTokenLifetime(new TimeSpan(timeOut.Ticks / 4)); + options.SetRefreshTokenLifetime(timeOut); + // Use ASP.NET Core Data Protection for tokens instead of JWT. // This is more secure, and has the added benefit of having a high throughput // but means that all servers (such as in a load balanced setup)