Open Closed

Disable Refresh Token #6007


User avatar
0
SamirBoutazzout created

Hi everyone, I am trying to disable the refresh token and offline access in my app. I have followed multiple steps either here on this forum or on the internet but I haven't been successful. What I have done so far is I disabled the refresh token on the frontend (Angular) in the OpenId section and I removed the "offline_access" from the scope in the .env file. I have looked in the backend but I couldn't find anywhere to remove the refresh token in the AuthServer. Once I have done these steps, I no longer have the refresh token stored in localStorage, but the behaviour still persists. I have lowered the validation duration of the access token to 10mins, but once it expires, the app automatically gets a new one and the user's session is extended. Basically what i'm stuck with is a never ending user session which is not desirable in our case.

Am I missing a step in the backend? is there anyway to force the user to re-authenticate after the session access token is expired?

  • ABP Framework version: v6.0.1
  • UI Type: Angular
  • Database System: EF Core (PostgreSQL)
  • Tiered (for MVC) or Auth Server Separated (for Angular): Auth Server Separated (for Angular)

5 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    It works for me

  • User Avatar
    0
    SamirBoutazzout created

    Hi,

    It works for me

    Thanks liangshiwei, That's exactly what I did and the same result I got but the JWT access token still gets renewed after expiry even though the refresh token is not there. In your case, if you for example set the JWT token expiry time in 10mins, does the app send a new request for a new one and gets it?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    ok, I will check it

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    You can try this:

    context.Services.ConfigureApplicationCookie(options => 
    {
        options.ExpireTimeSpan = TimeSpan.FromSeconds(30); // just an example, you can use any time span you want
    });
    
    [ExposeServices(typeof(LoginModel))]
    public class MyLoginModel : OpenIddictSupportedLoginModel
    {
        public MyLoginModel(IAuthenticationSchemeProvider schemeProvider, IOptions<AbpAccountOptions> accountOptions, IAbpRecaptchaValidatorFactory recaptchaValidatorFactory, IAccountExternalProviderAppService accountExternalProviderAppService, ICurrentPrincipalAccessor currentPrincipalAccessor, IOptions<IdentityOptions> identityOptions, IOptionsSnapshot<Owl.reCAPTCHA.reCAPTCHAOptions> reCaptchaOptions, AbpOpenIddictRequestHelper openIddictRequestHelper) : base(schemeProvider, accountOptions, recaptchaValidatorFactory, accountExternalProviderAppService, currentPrincipalAccessor, identityOptions, reCaptchaOptions, openIddictRequestHelper)
        {
        }
    
        public override Task<IActionResult> OnPostAsync(string action)
        {
            // Remember me must be true, otherwise the cookie is session
            LoginInput.RememberMe = true;
            return base.OnPostAsync(action);
        }
    }
    
  • User Avatar
    0
    SamirBoutazzout created

    Thank you very much liangshiwei. That solved the issue.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 05, 2024, 12:19