I just started to work with ABP.io (v7.4.1). These steps are exactly what I did:
Create a new solution using
abp new MyProject -u blazor -csf --separate-auth-server
Comment all dependencies (
DependsOn
attributes) toAbpCachingStackExchangeRedisModule
andAbpDistributedLockingModule
(in order to be able to run the project without Redis)Change the default token lifetimes (to inspect what happens when a token expired):
PreConfigure<OpenIddictServerBuilder>(builder => { builder .SetAccessTokenLifetime(TimeSpan.FromSeconds(15)) .SetIdentityTokenLifetime(TimeSpan.FromSeconds(15)); });
Then I ran the project and registered a user. While inspecting Network requests in Chrome Developer Tools, two question arose for me:
- While loggin in (either after a register or after a logout) two requests sent to Auth server for each
/connect/token
and/connect/userinfo
endpoints. Why and is this really needed? - When I wait long enough for the token to expire; I expected an 401 error or redirecting to login page. But magically the user remains logged in (with thanks to a new request to
/connect/token
and/connect/userinfo
). How ABP (or OpenIddict Module, I don't know exactly) handles this process(There isn't any refresh token neither in /token response nor in the[OpenIddictTokens]
table)? Shouldn't I have codeed for refresh tokens?
And the last question: is there any explained tutorial/documentaion of how to customize OpenIddict module?
Thanks in advance.
The token and userinfo endpoints are called to respectively retrieve an access token after a successful authorization dance and get back the profile details of the logged in user. It's part of the standard OpenID Connect authorization code flow defined here: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth.