Session Expiry Issue with Google Login in Duende IdentityServer

[AbhiEVision]

IdentityServer version

6.3.10

.NET version

6

Description

Issue
I am using Duende IdentityServer with Google as an external identity provider. My login flow includes:

Password Flow (which works fine)
Google Login Flow (session expires too soon)
When logging in using the password flow, the session remains valid as expected. However, when logging in via Google, the session expires much sooner than the configured lifetime settings.

Client Configuration:
IdentityTokenLifeTime: 300
AccessTokenLifeTime: 1200
AuthorizationCodeLifeTime: 300
AbsoluteRefreshTokenLifeTime: 604800 (7 Days)
RefreshTokenUsage: OneTimeOnly
RefreshTokenExpiration: Absolute

Server-Side Cookie Configuration:
Cookie Lifetime: 1 Day
Sliding Expiration: True

Google External Authentication Configuration:

.AddOpenIdConnect("Google", options =>
{
    options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
    options.ForwardSignOut = IdentityServerConstants.DefaultCookieAuthenticationScheme;

    options.Authority = "https://accounts.google.com/";
    options.SaveTokens = true;
    options.Scope.Add("email");
})

Actual Behavior
Password flow works as expected.
Google login flow causes session expiration much earlier than configured, forcing frequent re-authentication.

Questions
What could be causing the session to expire earlier when logging in via Google?
Are there additional settings required to persist the session for external providers like Google?
Is there a difference in how IdentityServer handles sessions for external vs. local logins?
Any guidance or suggestions would be greatly appreciated!

Reproduction steps

No response

Expected behavior

The session should persist according to the configured cookie and token lifetimes for both Password and Google login flows.

Logs

No response

Additional context

No response

[RolandGuijt]

Assuming that you mean IdentityServer's session (not the client's session):

The code where the session cookie is set for internal logins and where it is set for external logins is not in the IdentityServer library. It is part of your project. When using our template code look for Pages/Account/Login to find the code for the internal login and in Pages/ExternalLogin/Callback.cshtml.cs for external.
Can you please check these files and see if there are differences?

Also: What is the lifetime of the Google session? If that is shorter with ForwardSignout set IdentityServer's cookie will be invalidated when that expires.

[AbhiEVision]

Currently i am configured the cookie using the ConfigureApplicationCookie than i am facing the issue of Earlier logout When using the External Provider ( Google ) over the Passowrd Auth flow.

And as per the suggestion there is not diffrence in logic of pages ( Login and Callback )

So for the same session time of external and local login do i need to configure both cookies IdentityServer and Application Cookie?

[RolandGuijt]

When using an external authentication provider (Google in this case) there are at least 3 sessions:

• One per client (application user is accessing).
• Identity Provider
• Google

These all set their own session cookies and thus can have their own session lifetime.
The code you provided suggested that the Identity Provider session expires at the same time the Google session expires. That is probably because ForwardSignout is set.

So the solution could be one of these:

• Do not set ForwardSignout
• Extend the duration of the Google session if possible

[AbhiEVision]

As per your suggestion i Removed the ForwardSignout Property and tested but still faces same issue.

Now further the finding i found that i need to configure the both cookies Identity Server Cookie and Application Cookies. so, i configured both with same expiry time but and test the application but that is not helped me in my case. is there possible that i miss some Client Configuration for this issue? if you can suggest the What configuration i need to do for the same session time for both External and Local login ( Password )?

[RolandGuijt]

Can you please share the code that runs when the callback from the external identity provider takes place?
In our default template it is in Pages/ExternalLogin/Callback.cshtml.

[AbhiEVision]

Sure here is the OnGet method of the Callback page:

public async Task OnGet()
{

var result = await HttpContext.AuthenticateAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
if (result?.Succeeded != true)
{
	return Redirect("/~");
}

var extPrincipal = result.Principal;
var expProperties = result.Properties;
var claims = extPrincipal.Claims?.ToList();
string? email = claims.FirstOrDefault(c => c.Type == ClaimTypes.Email)?.Value;

var returnUrl = result.Properties.Items["returnUrl"] ?? "~/";
var provider = result.Properties.Items[".AuthScheme"];

// lookup our user and external provider info
var userIdClaim = result.Principal.FindFirst(JwtClaimTypes.Subject) ??
					  result.Principal.FindFirst(ClaimTypes.NameIdentifier);
if (userIdClaim == null)
{
	ModelState.AddModelError(string.Empty, "Unknown Userid");
	TempData["ModelStateErrors"] = ModelState.Values
		.SelectMany(v => v.Errors)
		.Select(e => e.ErrorMessage)
		.ToList();
	return Redirect($"/Login?returnUrl={Uri.EscapeDataString(returnUrl)}");
}
claims.Remove(userIdClaim);
var providerUserId = userIdClaim.Value;

var emailClaim = extPrincipal.Claims.FirstOrDefault(x => x.Type == ClaimTypes.Email).Value;
var user = await _userManager.FindByLoginAsync(provider, providerUserId);

if (user == null)
{
	user = await _userManager.FindByEmailAsync(email);
	if (user != null)
	{
		await _userManager.AddLoginAsync(user, new UserLoginInfo(provider, providerUserId, provider));
	}
	else
	{
		ModelState.AddModelError(string.Empty, $"We could not find any account associated with the email address {emailClaim}.");
		TempData["ModelStateErrors"] = ModelState.Values
			.SelectMany(v => v.Errors)
			.Select(e => e.ErrorMessage)
			.ToList();
		return Redirect($"/Login?returnUrl={Uri.EscapeDataString(returnUrl)}");
	}
}

// Ensure that the user can sign in
if (!await _signInManager.CanSignInAsync(user))
{
	ModelState.AddModelError(string.Empty, "message.");
	TempData["ModelStateErrors"] = ModelState.Values
	.SelectMany(v => v.Errors)
	.Select(e => e.ErrorMessage)
	.ToList();
	return Redirect($"/Login?returnUrl={Uri.EscapeDataString(returnUrl)}");
}

// this allows us to collect any additional claims or properties
// for the specific protocols used and store them in the local auth cookie.
// this is typically used to store data needed for signout from those protocols.
var additionalLocalClaims = new List<Claim>();
var localSignInProps = new AuthenticationProperties();
CaptureExternalLoginContext(result, additionalLocalClaims, localSignInProps);

// issue authentication cookie for user
var isuser = new IdentityServerUser(user.Id.ToString())
{
	DisplayName = user.UserName,
	IdentityProvider = provider,
	AdditionalClaims = additionalLocalClaims
};

await HttpContext.SignInAsync(isuser, localSignInProps);

// delete temporary cookie used during external authentication
await HttpContext.SignOutAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);

// check if external login is in the context of an OIDC request
var context = await _interaction.GetAuthorizationContextAsync(returnUrl);
await _events.RaiseAsync(new UserLoginSuccessEvent(provider, providerUserId, user.Id.ToString(), user.UserName, true, context?.Client.ClientId));

if (context != null)
{
	if (context.IsNativeClient())
	{
		// The client is native, so this change in how to
		// return the response is for better UX for the end user.
		return this.LoadingPage(returnUrl);
	}
}
return Redirect(returnUrl);

}

[maartenba]

@AbhiEVision do you have an Enterprise license with access to priority support? We may need some extra information here to help diagnose and determine if this may needs some consulting.

[AbhiEVision]

@AbhiEVision do you have an Enterprise license with access to priority support? We may need some extra information here to help diagnose and determine if this may needs some consulting.

I am not aware of that as i am junior developer i need to ask my senior for that.

[RolandGuijt]

Can you please find that out? We would like to help you via our 1:1 priority support channel if possible.

[AbhiEVision]

We are working on this for our client, so I am not aware of the license details.

[maartenba]

Can you please reach out to me via maarten at duendesoftware .com with the name of the client? I'll then check license details and see if we could move this to priority support.

[AbhiEVision]

I have observed that if i have not configured any cookies and its time and only configured the Serverside Sessions as per the demo my session is not getting expired earlier as per the expectations. session time is shown as 14 days so I need help that how can I decrease time of session.

Also i need to know that custom implementation of IAuthorizeInteractionResponseGenerator, IProfileService and ICustomAuthorizeRequestValidator interface can affect the session time or not?