From 74f8cd53a6160dfa1f6a8b49573a5cadd7083dac Mon Sep 17 00:00:00 2001 From: Kyle Spearrin Date: Tue, 23 Jan 2024 17:21:50 -0500 Subject: [PATCH 1/3] adjust refresh token lifetimes --- src/Identity/IdentityServer/ApiClient.cs | 2 +- src/Identity/IdentityServer/StaticClientStore.cs | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Identity/IdentityServer/ApiClient.cs b/src/Identity/IdentityServer/ApiClient.cs index d4eafe1d486e..1f29c5bc6d63 100644 --- a/src/Identity/IdentityServer/ApiClient.cs +++ b/src/Identity/IdentityServer/ApiClient.cs @@ -15,7 +15,7 @@ public ApiClient( ClientId = id; AllowedGrantTypes = new[] { GrantType.ResourceOwnerPassword, GrantType.AuthorizationCode, WebAuthnGrantValidator.GrantType }; RefreshTokenExpiration = TokenExpiration.Sliding; - RefreshTokenUsage = TokenUsage.ReUse; + RefreshTokenUsage = TokenUsage.OneTimeOnly; SlidingRefreshTokenLifetime = 86400 * refreshTokenSlidingDays; AbsoluteRefreshTokenLifetime = 0; // forever UpdateAccessTokenClaimsOnRefresh = true; diff --git a/src/Identity/IdentityServer/StaticClientStore.cs b/src/Identity/IdentityServer/StaticClientStore.cs index 811880dde232..d589ab219e66 100644 --- a/src/Identity/IdentityServer/StaticClientStore.cs +++ b/src/Identity/IdentityServer/StaticClientStore.cs @@ -10,8 +10,8 @@ public StaticClientStore(GlobalSettings globalSettings) { ApiClients = new List { - new ApiClient(globalSettings, BitwardenClient.Mobile, 90, 1), - new ApiClient(globalSettings, BitwardenClient.Web, 30, 1), + new ApiClient(globalSettings, BitwardenClient.Mobile, 60, 1), + new ApiClient(globalSettings, BitwardenClient.Web, 7, 1), new ApiClient(globalSettings, BitwardenClient.Browser, 30, 1), new ApiClient(globalSettings, BitwardenClient.Desktop, 30, 1), new ApiClient(globalSettings, BitwardenClient.Cli, 30, 1), From 1d453ca9cbcf05070816f3a19595e8850cf2884c Mon Sep 17 00:00:00 2001 From: Kyle Spearrin Date: Wed, 24 Jan 2024 09:35:24 -0500 Subject: [PATCH 2/3] fix broken grant delete --- .../Auth/Repositories/GrantRepository.cs | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/src/Infrastructure.EntityFramework/Auth/Repositories/GrantRepository.cs b/src/Infrastructure.EntityFramework/Auth/Repositories/GrantRepository.cs index f22384afbc5d..09fd46835b42 100644 --- a/src/Infrastructure.EntityFramework/Auth/Repositories/GrantRepository.cs +++ b/src/Infrastructure.EntityFramework/Auth/Repositories/GrantRepository.cs @@ -19,11 +19,7 @@ public async Task DeleteByKeyAsync(string key) using (var scope = ServiceScopeFactory.CreateScope()) { var dbContext = GetDatabaseContext(scope); - var query = from g in dbContext.Grants - where g.Key == key - select g; - dbContext.Remove(query); - await dbContext.SaveChangesAsync(); + await dbContext.Grants.Where(g => g.Key == key).ExecuteDeleteAsync(); } } @@ -32,14 +28,11 @@ public async Task DeleteManyAsync(string subjectId, string sessionId, string cli using (var scope = ServiceScopeFactory.CreateScope()) { var dbContext = GetDatabaseContext(scope); - var query = from g in dbContext.Grants - where g.SubjectId == subjectId && - g.ClientId == clientId && - g.SessionId == sessionId && - g.Type == type - select g; - dbContext.Remove(query); - await dbContext.SaveChangesAsync(); + await dbContext.Grants.Where(g => + g.SubjectId == subjectId && + g.ClientId == clientId && + g.SessionId == sessionId && + g.Type == type).ExecuteDeleteAsync(); } } From 873672673225195c0f545876a9a4dadd96a0fe0e Mon Sep 17 00:00:00 2001 From: Kyle Spearrin Date: Mon, 29 Jan 2024 13:25:36 -0500 Subject: [PATCH 3/3] Update ApiClient.cs --- src/Identity/IdentityServer/ApiClient.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Identity/IdentityServer/ApiClient.cs b/src/Identity/IdentityServer/ApiClient.cs index 1f29c5bc6d63..d4eafe1d486e 100644 --- a/src/Identity/IdentityServer/ApiClient.cs +++ b/src/Identity/IdentityServer/ApiClient.cs @@ -15,7 +15,7 @@ public ApiClient( ClientId = id; AllowedGrantTypes = new[] { GrantType.ResourceOwnerPassword, GrantType.AuthorizationCode, WebAuthnGrantValidator.GrantType }; RefreshTokenExpiration = TokenExpiration.Sliding; - RefreshTokenUsage = TokenUsage.OneTimeOnly; + RefreshTokenUsage = TokenUsage.ReUse; SlidingRefreshTokenLifetime = 86400 * refreshTokenSlidingDays; AbsoluteRefreshTokenLifetime = 0; // forever UpdateAccessTokenClaimsOnRefresh = true;