AccessTokenLifeTime expiration- Identity server code flow

Question

I have an ASP.NET Core application with IdentityServer4 for authentication and authorization.
I am using oidc-client with Angular 10 for the front-end.
The problem is my application never logs the user out even after the token is expired. it will be refreshed silently. My AccessTokenLifetime is set to 5 minutes. My CookieSlidingTime is set to 10 minute. Here is my code

    const idServerSettings = {
  authority: Constants.stsAuthority,
  client_id: Constants.clientId,
  scope: 'openid profile',
  response_type: 'code',
  redirect_uri: `${Constants.clientRoot}signin-callback`,
  post_logout_redirect_uri: `${Constants.clientRoot}signout-callback`,
  store: new WebStorageStateStore({ store: localStorage }),
  automaticSilentRenew: true,
  loadUserInfo: true
};

IdentityServer configuration

 new Client {
                ClientName="test",
                ClientId="client-spa",
                AllowedGrantTypes = GrantTypes.Code,
                AlwaysIncludeUserClaimsInIdToken = true,
                RedirectUris = new List<string>() { "https://localhost:44383/signin-callback" }, 
                PostLogoutRedirectUris = {"https://localhost:44383/signout-callback" },
                AllowedCorsOrigins = {  "https://localhost:44383" },
                AccessTokenLifetime = 60*5, // TODO
                AllowedScopes = {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "propel-api"

                },
                RequireClientSecret=false
            }



   var builder = services.AddIdentityServer(options =>
        {
            options.Events.RaiseErrorEvents = true;
            options.Events.RaiseInformationEvents = true;
            options.Events.RaiseFailureEvents = true;
            options.Events.RaiseSuccessEvents = true;
            options.UserInteraction.LoginUrl = "/Account/Login";
            options.UserInteraction.LogoutUrl = "/Account/Logout";
            options.Authentication = new AuthenticationOptions()
            {
                CookieLifetime = TimeSpan.FromMinutes(10), 
                CookieSlidingExpiration = true,
                
            };

Answer 1

Silent refresh is because you have automaticSilentRenew set to true, per docs:

automaticSilentRenew (boolean, default: false): Flag to indicate if there should be an automatic attempt to renew the access token prior to its expiration. The attempt is made as a result of the accessTokenExpiring event being raised.

• If you are looking for an automatic logout, that is not there by design, you need to implement the sign out. Ref.

• To force user to re-login after some time of inactivity, there is no out of the box solution available on oidc-client-js (Ref) . What you can do is to:

  1. Set automaticSilentRenew to false

  2. Implement your own logic to indicate user inactivity and call signinSilent API manually. Ref

     Here is some examples for this approach: IdS4 sample, Okta sample

• If you want to force user to re-login after some time:

  1. Set automaticSilentRenew = false
  2. Set UserSsoLifetime for the client on IDS4 configuration. Ref

  UserSsoLifetime: The maximum duration (in seconds) since the last time the user authenticated. Defaults to null. You can adjust the lifetime of a session token to control when and how often a user is required to reenter credentials instead of being silently authenticated, when using a web application.

  For example UserSsoLifetime = 10 will force the user to re-authenticate after 10 s of inactivity.