Is there a way to invalidate session cookie, when refresh token expires

[skatanski]

Version: 7.0.8

.net 8

From documentation, I can see it's possible to synchronize refresh token's lifetime with session cookie in a way that clears refresh tokens when session cookie expires. I can't find, if the other way around is possible - to make it so that session cookie expires, when the refresh token expires. We'd like the user on the front-end side to have to manually re-authenticate, when refresh tokens have expired, with this change being triggered by the back-end.

[skatanski]

I've investigated it a bit more, and I can see I could implement something like this in the RefreshTokenStore (whenever a refresh token is removed) or in my own implementation of DefaultRefreshTokenService. I could query session store and remove any sessions referenced to a given user/client. But perhaps there's a better way to do it, and if there are any counterpoint/or would it be considered bad practice by adding such functionality in the classes I've mentioned.

[RolandGuijt]

Setting the CoordinateClientLifetimesWithUserSession option in combination with server side sessions should work. Both the session lifetime and refresh token lifetime should be the same.

The session by default has sliding expiration. Whenever the refresh token is used, then the session is renewed. So if the refresh token isn't used and expires after X hours, then the session will expire at the same time.
The only case where the session would survive past the refresh token is if the user interacts with the IdentityServer but not the client app.

[RolandGuijt]

@skatanski Did my comment make things clear for you? If so I'd like to close the issue.

[skatanski]

Hi @RolandGuijt so I've set both:

• identityServerOptoins.Authentication.CoordinateClientLifetimesWithUserSession to true
• client specific field CoordinateLifetimeWithUserSession to true

However, after i run following scenario:

• request access token (lifetime 5 minutes) and single use refresh token (absolute lifetime 10 minutes)
• new access token/refresh token pair gets requested before 5 minute expiry
• next time I request new pair - that fails because rightly refresh token got expired
• I redirect user to login prompt - user gets automatically authenticated with a session cookie

I was expecting that actual login form would show up because the session should have expired along with the refresh token.

[skatanski]

Interestingly I've found following issue, which seems to overlap with mine:
DuendeArchive/Support#391
However DefaultSessionCoordinationService.ValidateSessionAsync doesn't seem to run, when an authentication using session cookie happens.

[skatanski]

So I've digged a bit more into it, and my current solution to terminate user session on failed refresh token validation is following:

• I've derived DefaultRefreshTokenService with my own implementation
• ValidateRefreshTokenAsync does the following extra, this is a POC:

if (result?.Error == "invalid_grant")
        {
            var refreshToken = await RefreshTokenStore.GetRefreshTokenAsync(tokenHandle);
            if(refreshToken != null)
                await serverSideSessionStore.DeleteSessionsAsync(new SessionFilter { SessionId = refreshToken.SessionId, SubjectId = refreshToken.SubjectId });
        }

This way whenever absolute refresh token expires, session will get terminated as well. I'd need to add client flag to enable it per client.
@RolandGuijt can you please advise if this is the recommended way, or whether I'm missing something/breaking any good practice

[RolandGuijt]

Just to make sure we didn't misunderstand: do you have server-side sessions enabled?

[RolandGuijt]

@skatanski Would you like to follow up on this? Or can we close the issue?

[skatanski]

Yes I do have server side sessions enabled. Sorry for the delay.

[maartenba]

(note: we're moving this issue to our new community discussions)

[RolandGuijt]

It looks I might have misunderstood earlier:

If you enable CoordinateClientLifetimesWithUserSession it's the lifetime of the session that is leading. When the session ends, the refresh token will expire. And whenever the refresh token is used it will slide the session and extend the lifetime of the session by default.
The feature isn't designed to be used the other way around. Ending the session when the refresh token expires would mean that users are logged out of the SSO session having consequences for all active client sessions.