I am using the Skoruba Identity Server 4 Admin Template.
The 'connect/token' end point keeps getting cancelled after exactly 1.7 minutes for one of our web APIs.
The API is consumed by a windows service and a web app.
The windows service pushes data to the api every five minutes, and runs on multiple clients.
The service, web app and API uses the same IS4 application for authentication.
Is there any explanation for why the token requests get cancelled after exactly 1.7 minutes every time for only this particular API.
Related
We have an application running on WebSphere Portal with a javascript frontend calling a REST API backend via a servlet. The app is launched via a Portlet.
After the app starts up no further web requests go through the /wps portal context, everything goes through the servlet-based REST API.
The issue we have is that the HttpSession times out even though active requests are being made to the REST API.
Any ideas as to why the HttpSession is disappearing?
do you have security restraints set up on the rest api so it keeps the session id alive? also the portal session will still die if it is not being accessed evne if your LTPA/JSession id is still valid
I've been developing RESTful API server communicating with cross-platform clients such as Android, iOS, Web browser, and so on.
When a user login successfully by username and password, this server issue an access token(JWT, 5 minutes) and a refresh token(GUID, 20 days).
When we develop Android client app communicating with server, we just can store this tokens in mobile device and I believe it will not be a problem in terms of security( using SharedPreferences).
But when it comes to Web browsers, (React App) I had to tackle where to store these tokens. Finally, I decided HttpOnly Cookie, because I can manage easily CSRF attacks rather than XSS.
Soon, I doubt this is a typical design. For example, web browser users cannot logout whenever they want. So I determinate change the wrapper server(Node.js) between the React app and the RESTful API server.
In my second design, the React App and the wrapper server authenticate session-cookie model, using passport.js for exmaple. And when the wrapper recognize the request is authenticated, then the wrapper issue a short term access token(1 minute JWT) and reorganize the request by inserting the access token just issued in the header sent to the RESTful API server.
Is this reasonable process? Thank you in advance.
You could simplify your solution by removing the JWT access token altogether. The refresh token could be used as a session id. Every time a client issues an API call to the server the session id is sent in an HTTP header, so you can check if the request is legitimate.
Your approach of using a JWT token with a short expiration time is ok, but it brings some complexity to your system. In my opinion this approach is best suited for systems where you have an authentication service and a resource owner service. So the client would request an access token to the authentication service and use that token to communicate with the resource owner service. Then the resource owner can check the validity of the access token by just checking whether the signature matches the authentication service's.
I hope this helps you, let me know if I'm missing something.
We have an IdentityServer4 Host as our IDP. We have a 4.6 WEB (SPA) calling an API using Hybrid flow (Calling the API by passing the accessToken). Everything is working as expected. Please note that on the API we are using IdentityServer3.AccessTokenValidation package to authenticate with IdentityServer4.
Scenario
Restarting Identity Server 4 Host causes newly logged do users a 401 unauthorized call to the API. We know of 2 solutions how to solve this issue:
1.) Restart the API App Pool (undesired)
2.) In the API, setup of app.UseIdentityServerBearerTokenAuthentication to set AutomaticRefreshInterval to 5 minutes of caching. After 5 minutes, newly logged on users can now retrieve data from the API.
The question is:
1.) Is there another option we can do beside what is mentioned above?
2.) If we do set the AutomaticRefreshInterval to the lowest possible cache value of 5 minutes, can you foresee any potential issues that we should account for? e.g. performance issues, security concerns, etc?
If using a temporary in-memory signing key then you'll get this behaviour. You need to create a persisted signing credential like an X509 certificate and load it when your IDS4 service starts.
Some guidance here: http://docs.identityserver.io/en/release/topics/startup.html#refstartupkeymaterial
See my answer here for a code sample on how to load a cert or certs from the machine certificate store:
How we can replace AddDeveloperSigningCredential on AWS Serverless Lambda environment?
I'm building a web application using Go, and it will be just a bunch of ReST services.
I plan to use AngularJS as the front end, and it will make service calls to the Go application.
I plan to deploy to Google App Engine, and use it's user authentication service.
Is it possible to then limit a user's session to one at a time, so that a user may not share their login with someone else, and then have that that login logged in multiple times concurrently?
I have a LOB Silverlight app that uses web services, and forms authentication to authenticate users. The app has a lot of state on the client side. My problem is when the client comes back to the app after a period of inactivity, and their authenticated session has expired so they get authentication errors back from the web services that require authentication.
What is the best method to prevent this situation?
I have tried using a "heartbeat" via dummy web service method that is called at a regular interval and that seems to work for keeping the session alive, but is there a better solution?
You can increase session timeout or send regular request to service for keeping the session. Or when session is expired ask user relogin to application. I guess, it's standard practices for Web application based on ASP.NET infrastructure.
This post is what I have done and it appears to accomplish what you are asking
Preventing an ASP.NET Session Timeout when using Silverlight