Hello, I would like to know the concrete steps for implementing a session timeout using Azure AD in ABP. Because once we are logged in there is no timeout when the user has to log in again. Specifically, I want the user session to expire after 24 hours. We are not using app.UseDynamicClaims(); Thanks in advance!
This code is in my blazor module in the method PreConfigureServices:
if (!hostingEnvironment.IsDevelopment)
{
PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
{
options.AddDevelopmentEncryptionAndSigningCertificate = false;
});
PreConfigure<OpenIddictServerBuilder>(serverBuilder =>
{
serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", "...");
});
}
Configure auth method
var authenticationBuilder = context.Services.AddAuthentication();
authenticationBuilder.AddOpenIdConnect(
authenticationScheme: "AzureOpenId",
displayName: "...",
configureOptions: options =>
{
options.Authority = $"https://login.microsoftonline.com/{azTenantId}/v2.0/";
options.ClientId = "MyEntraId";
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
options.CallbackPath = "MyCallBack";
options.ClientSecret = "MySecreat";
options.RequireHttpsMetadata = false;
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "sub");
});
3 Answer(s)
-
0
Hi, the primary way to control the session duration within your ABP application when using an external provider like Azure AD is by configuring the lifetime of the authentication cookie that your application issues. Azure AD controls its own session and token lifetimes, but your application's session is managed separately by the cookie authentication middleware.
So, you can configure your application cookie and set the expiration time to 24 hours like below:
context.Services.ConfigureApplicationCookie(options => { options.ExpireTimeSpan = TimeSpan.FromHours(24); // Set cookie expiration to 24 hours options.SlidingExpiration = true; });
Regards.
-
0
When I navigate between different pages using the sidebar, the cookie seems to be ignored. However, when I refresh the page in the browser, the cookie is correctly validated, and I am logged out. Is there a simple way to always check the cookie, even when navigating via the sidebar?
-
0
Hi,
When you set
SlidingExpiration
as true, it won't be expired while user is currently using the system. It covers inactive duration. When user makes an action, countdown resets. If you set smaller durations, it won't be precise since it has tolerance. Most authentication servers, including identity providers like Keycloak, have a slight tolerance for token expiration. Typically, there is a grace period—often around five minutes—to account for slight variations in server time, network latency, and other technical factors. This ensures that users don't get abruptly logged out due to minor timing discrepancies.