Open Closed

OpenId Session Timeout #9383


User avatar
0
FelixKirschner created

Hello, I would like to know the concrete steps for implementing a session timeout using Azure AD in ABP. Because once we are logged in there is no timeout when the user has to log in again. Specifically, I want the user session to expire after 24 hours. We are not using app.UseDynamicClaims(); Thanks in advance!

This code is in my blazor module in the method PreConfigureServices:

        if (!hostingEnvironment.IsDevelopment)
        {
            PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
            {
                options.AddDevelopmentEncryptionAndSigningCertificate = false;
            });

            PreConfigure<OpenIddictServerBuilder>(serverBuilder =>
            {
                serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", "...");
            });
        }
        

Configure auth method

            var authenticationBuilder = context.Services.AddAuthentication();

            authenticationBuilder.AddOpenIdConnect(
                authenticationScheme: "AzureOpenId",
                displayName: "...",
                configureOptions: options =>
                {
                    options.Authority = $"https://login.microsoftonline.com/{azTenantId}/v2.0/";
                    options.ClientId = "MyEntraId";
                    options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
                    options.CallbackPath = "MyCallBack";
                    options.ClientSecret = "MySecreat";
                    options.RequireHttpsMetadata = false;
                    options.SaveTokens = true;

                    options.GetClaimsFromUserInfoEndpoint = true;
                    options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "sub");
                });

3 Answer(s)
  • User Avatar
    0
    EngincanV created
    Support Team .NET Developer

    Hi, the primary way to control the session duration within your ABP application when using an external provider like Azure AD is by configuring the lifetime of the authentication cookie that your application issues. Azure AD controls its own session and token lifetimes, but your application's session is managed separately by the cookie authentication middleware.

    So, you can configure your application cookie and set the expiration time to 24 hours like below:

        context.Services.ConfigureApplicationCookie(options =>
        {
            options.ExpireTimeSpan = TimeSpan.FromHours(24); // Set cookie expiration to 24 hours
            options.SlidingExpiration = true;
        });
    

    Regards.

  • User Avatar
    0
    FelixKirschner created

    When I navigate between different pages using the sidebar, the cookie seems to be ignored. However, when I refresh the page in the browser, the cookie is correctly validated, and I am logged out. Is there a simple way to always check the cookie, even when navigating via the sidebar?

  • User Avatar
    0
    enisn created
    Support Team .NET Developer

    Hi,

    When you set SlidingExpiration as true, it won't be expired while user is currently using the system. It covers inactive duration. When user makes an action, countdown resets. If you set smaller durations, it won't be precise since it has tolerance. Most authentication servers, including identity providers like Keycloak, have a slight tolerance for token expiration. Typically, there is a grace period—often around five minutes—to account for slight variations in server time, network latency, and other technical factors. This ensures that users don't get abruptly logged out due to minor timing discrepancies.

Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v9.3.0-preview. Updated on June 13, 2025, 11:37