Openiddict implicitflow premature token expiration

Question

My openiddict config is as

services.AddOpenIddict(options =>
        {
            options.AddEntityFrameworkCoreStores<TestDbContext>();
            options.AddMvcBinders();
            options.EnableAuthorizationEndpoint("/connect/authorize")
                   .EnableLogoutEndpoint("/connect/logout")
                   .EnableIntrospectionEndpoint("/connect/introspect")
                   .EnableUserinfoEndpoint("/api/userinfo");
            options.AllowImplicitFlow();
            options.RequireClientIdentification();
            options.EnableRequestCaching();
            options.DisableSlidingExpiration();
            options.AddSigningCertificate(
                assembly: typeof(Startup).GetTypeInfo().Assembly,
                resource: "Server.test.pfx",
                password: "test"); // embedded resource
            options.SetAccessTokenLifetime(TimeSpan.FromDays(1));
            options.SetIdentityTokenLifetime(TimeSpan.FromDays(1));
        });

when i test locally, the token seems to live as long as specified above, but on production (windows server 2016 IIS 10) it expires prematurely (in about 1 hour). This has been the case with both netcore1 and netcore2. I know i have the option to do a silent token renewal, but would like to avoid that process for now. Is there any known reason for this behaviour?

Answer 1

when i test locally, the token seems to live as long as specified above, but on production (windows server 2016 IIS 10) it expires prematurely (in about 1 hour).

By default, OpenIddict uses ASP.NET Core Data Protection to encrypt its access tokens.

For the Data Protection stack to work correctly, you must configure it when going to production. See OpenIddict: 401 errors when two or more service instance count for more information.