Guidance Needed on Configuring Token Lifetimes in OpenIddict 5.7.0

[jimiscott]

Confirm you've already contributed to this project or that you sponsor it

• I confirm I'm a sponsor or a contributor

Version

5.7.0

Question

Hi Kevin,

I hope you’re well. I’m currently working with OpenIddict 5.7.0.

My main problem is this:

When the login page stays idle for around 15 minutes before the user even attempts to sign in, the system immediately returns the error:

Note

error: invalid_token
error_description: The specified token is no longer valid.

What is happening

1. The login page loads successfully with a long authorization URL containing client_id, scope, code_challenge, nonce, and state.

2. If I wait (e.g., 15 minutes or more) and then entering credentials, getting response in browser as:

EF Core queries OpenIddictTokens table using ReferenceId.

The failure seems related to the OpenIddict state token or nonce expiring too early during the authorization flow.

I have added options.SetAuthorizationCodeLifetime(TimeSpan.FromMinutes(30)); to see if there is any change, but no.

Below option is also not possible:

Could you please advise:

• How can we configure or extend the lifetime of the state and nonce tokens in OpenIddict 5.7.0?
• Are these lifetimes intentionally fixed?
• If they are not configurable, is there a recommended way to override or adjust the behaviour?
• Or is there any other way to fix above issue?

I appreciate your time and any guidance you can provide.

Kind regards

[kevinchalet]

Hey @jimiscott,

I hope you’re well.

Doing well, thanks! Hope you're doing well too 😃

The failure seems related to the OpenIddict state token or nonce expiring too early during the authorization flow.

Yep, the error indeed occurs because the state token is expired (note that you also get an error if the associated anti-CSRF/correlation cookie cannot be found or is malformed).

How can we configure or extend the lifetime of the state and nonce tokens in OpenIddict 5.7.0?

There are no "nonce tokens" in the OpenIddict client (the nonce is a actually a special claim stored in the state token), but you can easily configure the lifetime of state tokens - which also controls the lifetime of the correlation cookies - using options.SetStateTokenLifetime():

services.AddOpenIddict()
    .AddClient(options =>
    {
        // ...
        options.SetStateTokenLifetime(TimeSpan.FromMinutes(60));
    });

Are these lifetimes intentionally fixed?

Yes, actually. The default lifetime of 15 minutes is actually a compromise between giving users enough time to complete the registration/login process and keeping state tokens and their associated cookies for too long: while the OpenIddict anti-CSRF cookies are shorter than the equivalent correlation/nonce cookies in the ASP.NET Core OIDC middleware, you can end up in a situation where many cookies - generated by the OpenIddict client if multiple authorization flows are started without being completed or by your application - are returned. Some browsers - e.g Safari - enforce quite strict restrictions on the maximum number of cookies or their length, so the longer your OpenIddict state tokens/anti-CSRF cookies are, the higher the chances of hitting such annoying limits.

Or is there any other way to fix above issue?

I see you're using the default error page (which returns a clear error but is quite ugly, obviously 😄). You may want to enable the status code pages middleware integration and return a proper error page (with potentially a link to restart the authorization flow): https://documentation.openiddict.com/integrations/aspnet-core#status-code-pages-middleware-integration.

Hope it'll help 😃

[jimiscott]

Hi Kevin,

Thanks for your help.

We’ve implemented the error-handling flow using the default state-token lifetime of 15 minutes.
When the state token expires, the ErrorController is triggered, which then redirects to the Logout action in the AuthorizeController. The logout process is handled there, and the user is subsequently taken back to the login screen with a new state token.

Kind regards,

[kevinchalet]

Hey @jimiscott,

Glad it worked! 👍🏻