Identity Server 3: Set different Refresh Token Expiration for a specific user RRS feed

  • Question

  • User-472426660 posted

    I have the following setup:

    Client: AngularJS Web App

    Server: ASP.NET Web API

    In the server I use the IdentityFramework3 to authenticate users on my AngularJS Client that has the (oidc-token-manager) configured.

    Currently I'm setting the AbsoluteRefreshTokenLifetime to 48 hours for my Client MyAngularJsApp like so:

    new Client
    	Enabled = true,
    	ClientId = MyAngularJsApp.Id,
    	ClientUri = MyAngularJsApp.Uri,
    	ClientName = MyAngularJsApp.Name,
    	Flow = Flows.Implicit,
    	AllowAccessToAllScopes = true,
    	IdentityTokenLifetime = 300,
    	AccessTokenLifetime = 3600,
    	RefreshTokenExpiration = TokenExpiration.Absolute,
    	RefreshTokenUsage = TokenUsage.ReUse,
    	AbsoluteRefreshTokenLifetime = TimeSpan.FromDays(2).Seconds,
    	RequireConsent = false,
    	RedirectUris = new List<string>
    		MyAngularJsApp.Uri + "/assets/idSrv/callback.html",
    		MyAngularJsApp.Uri + "/assets/idSrv/silentrefreshframe.html"
    	PostLogoutRedirectUris = new List<string>
    		MyAngularJsApp.Uri + "/index.html"

    There is one specific user that will log into my client that I want to set his Refresh Token to last 100 days so that the user does not have to Authenticate in 100 days, the reason I need this specific user to have 100 days without needing to log in is because this user will be used to display a specific part of the app on a big monitor, it'll remain static for 100 days

    AbsoluteRefreshTokenLifetime = TimeSpan.FromDays(100).Seconds,

      How do I make it so that only this user has this refresh token lifetime?

    Thursday, October 18, 2018 12:08 AM

All replies

  • User1724605321 posted

    Hi SkyFallDev2018 ,

    I don't think identity server 3 supports dynamic registration for clients but not sure , you can confirm that on their support channel :


    As a workaround , you can register two clients , and only the specific user can authenticate in that client which has special configuration .

    Best Regards,

    Nan Yu

    Friday, October 19, 2018 6:44 AM
  • User-472426660 posted

    That would mean I need to create two deployments of my AngularJS Client with two different domains, I was hoping for a better solution but it doesn't look like it's supported.

    Friday, October 19, 2018 2:31 PM
  • User1724605321 posted

    Hi SkyFallDev2018,

    You can confirm that feature on github support channel , in addition , you doesn't need to use two different domain .

    Best Regards,

    Nan Yu

    Monday, October 22, 2018 6:56 AM