From e33d7a779d271df1ff4020c34e91d8e075af305f Mon Sep 17 00:00:00 2001 From: Elitsa Marinovska <21998037+elit0451@users.noreply.github.com> Date: Thu, 18 Apr 2024 08:24:58 +0200 Subject: [PATCH] V14: Apply sliding window token expiry based on the configured max login lifetime (#16028) * Consider max login lifetime with access and refresh tokens * Adding clarification comment * Updated comment and added a little explanation for future clarity --------- Co-authored-by: kjac --- .../UmbracoBuilderAuthExtensions.cs | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs b/src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs index 9d3466b212..b61f842b5a 100644 --- a/src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs +++ b/src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs @@ -1,11 +1,12 @@ -using Microsoft.Extensions.DependencyInjection; using System.Security.Cryptography; +using Microsoft.Extensions.Configuration; +using Microsoft.Extensions.DependencyInjection; using Microsoft.IdentityModel.Tokens; using Umbraco.Cms.Api.Common.Security; using Umbraco.Cms.Core; +using Umbraco.Cms.Core.Configuration.Models; using Umbraco.Cms.Core.DependencyInjection; using Umbraco.Cms.Infrastructure.BackgroundJobs.Jobs; -using Umbraco.Cms.Infrastructure.HostedServices; using Umbraco.Extensions; namespace Umbraco.Cms.Api.Common.DependencyInjection; @@ -62,6 +63,17 @@ public static class UmbracoBuilderAuthExtensions .UseReferenceAccessTokens() .UseReferenceRefreshTokens(); + // Apply sliding window expiry based on the configured max login lifetime + GlobalSettings globalSettings = builder.Config + .GetSection(Constants.Configuration.ConfigGlobal) + .Get() ?? new GlobalSettings(); + TimeSpan timeOut = globalSettings.TimeOut; + + // Make the access token lifetime 25% of the refresh token lifetime, to help ensure that new access tokens + // are obtained by the client before the refresh token expires. + options.SetAccessTokenLifetime(new TimeSpan(timeOut.Ticks / 4)); + options.SetRefreshTokenLifetime(timeOut); + // Use ASP.NET Core Data Protection for tokens instead of JWT. // This is more secure, and has the added benefit of having a high throughput // but means that all servers (such as in a load balanced setup)