We’re using Umbraco (v14+) with external authentication via OpenIdConnect (SSO). Everything works as expected on initial login, but the user’s authentication session is lost after exactly 30 minutes — even though the external SSO session is still valid (set to 2 hours). This is causing 403 errors on all our custom controller endpoints that rely on [Authorize], breaking our dashboard functionality (e.g., API calls for exporting Power BI visuals, renewing embedded tokens, etc.).
What We’ve Tried So Far:
- Tried different Microsoft.AspNetCore.Authentication.OpenIdConnect options in Umbraco AddMemberLogin
→ including UseTokenLifetime which indicates that the authentication session lifetime (e.g. cookies) should match that of the authentication token. None of the options had any effect on session expiration time
- Set Umbraco:CMS:Global:Timeout to 120 (minutes)
→ This appears to be ignored when using external login.
- Set Umbraco:CMS:Security:KeepUserLoggedIn to true
→ This appears to be ignored when using external login. no effect
- Investigated ExternalLoginSignInAsync
→ Doesn’t allow passing authentication properties such us ExpiresUTC, beside isPersistent flag which seems to be ignored
- Tried overriding Umbraco SignInOrTwoFactorAsync() to explicitly set authentication properties via SignInAsync()
→ no effect, the expiration settings seem to be ignored
What Seems to Be Happening:
The ASP.NET Identity auth cookie is being issued with a 30-minute lifetime, and it’s not respecting either the Umbraco Timeout setting or Open ID connect Token expiration. It seems like Umbraco overrides ASP.NET Identity authentication cookie lifetime settings with default 30 minute value/lifetime for external logins, but we can’t find a reliable way to extend the session duration to match the upstream SSO token.
Our Goal:
Ensure the authentication session in Umbraco/.NET remains valid as long as the SSO session (2 hours), or ideally, have sliding expiration work properly while the user is active.