I'm using the Kentor/SampleOwinApplication and I can successfully sign in and out from my Idp. Now I've made some tests with revoked users in the Asp.Net database. After successful federation signin and back into ExternalLoginCallback, SignInManager.ExternalSignInAsync returns LockedOut and I land on the revoke page.
The problem is I'm not signed in for Asp.Net but I'm still for my Idp, so if I try to log in again, I'm considered already signed I am redirected instantly back to my service without the chance to try to log with another user.
I understand I would need to log out from my IDP when in the LockedOut status but it seems hard to do with Kentor because specifically I'm not signed in on the Asp.net site!
Interesting border case!
What you should do is that when in the ExternalLoginCallback when you find out that you are locked out, you should kick of a federated logout by initiating a logout with the external identity as an argument. That will redirect the user to the Idp and invalidate the Idp session.
Note that this might have side effects if the user is already logged in to other services from the same Idp. Those other services will be logged out too.
Related
I'm working on a react app where the pages can be used both by authenticated and anonymous users. The pages show more features for the authenticated users.
If a user previously has signed in and revists the website, I want the user to be automatically authenticated, and am struggling to achieve this.
I'm using redirect methods because I don't believe popup is working well on phones (is that assumption correct?).
I have tried storing the homeAccountId in local storage and use that to get the account used and then calling login in the msal instance. I also set up a addEventCallback and listen for EventType.LOGIN_SUCCESS which I use to set some internal state about the logged in user.
I have tried using MsalAuthenticationTemplate but strangely this doesn't invoke a login. I have also tried to detect if this is a "first run" and then invoking the login, but that doesn't work all the time. Sometime I get a SSO error indicating I should provide a login_hint or sid which is not possible because I use B2C.
If I don't do anything the user can click the login button and if the user has a valid cookie with B2C the user is logged in without providing credentials which is a strange behavior for the user because my website indicate the user is not authenticated (and show no logout button).
So I can't really get this to work and are wondering if somebody has a concept for achieving this?
Please checkout the msal-react samples which all demonstrate the behavior you're looking for. The MsalAuthenticationTemplate would be the recommended way to do this and if you're still having issues getting this to work after reviewing the samples I would recommend opening an issue on our repo with code snippets so we can take a closer look at what's going on.
Also using localStorage, if you're not already, would help to maintain application state between browser sessions. sessionStorage is the default.
As for B2C not asking for credentials; server state is separate from client state. You can be signed in on the server without the application knowing about it. Until your application makes a request to the B2C server your application will show that a user is not signed in. If a session already exists on the server when you make a login request, the server may redirect you back to your application without asking for credentials again.
I am using B2C custom policies.
I am using Web.TPEngine.Providers.SelfAssertedAttributeProvider documented here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/self-asserted-technical-profile
The signin relying party of the custom policy is working well, except users won't get user/password challenge after a successful login. I guess the technical profile uses browser cookies like "x-ms-cpim-cache|o4wex_p_gejeeak6w_0" for domain b2clogin.com to remember a successful login for at least a browser session.
The Metadata "setting.enableRememberMe" is the default that is set to false.
I need to make sure users are challenged with user/pwd every tinme the signin relying party is called. Is there any way to disable the auto-login with the cookie cache?
Set the session management technical profile to SM-Noop on the sign in technical profile.
For JavaScript apps, this will break silent token calls for an access token.
Other option, for initial logins, send the query param prompt=login which will kill the cookies when the user arrives at B2C. This at least keeps silent token calls working for JS apps.
I'm trying to implement Change Sign-in Name flow from AAD B2C samples. Basically the policy works but the problem is that the user is still logged in after changing his e-mail.
In my understanding changing the primary identity must invalidate all issued tokens/sessions immediately and force the user to re-authenticate. How come this can be secure and isn't addressed in the sample? How can I do it? I could redirect the request to the B2C sign-out endpoint but here is another issue:
When a user clicks "Change Sign-In Name" link he gets redirected to the policy endpoint with a specified redirect_uri query string param. In my case it's https://localhost:44300. The problem is he gets redirected back to my site when he finishes the flow and when he cancels the flow and I cannot distinguish between the two as there seems to be nothing in the request to check.
So, how can I get the user back to https://localhost:44300 if he cancels the flow (the email isn't changed) and perform Single Sign-Out if he finishes the flow?
Why should changing a username invalidate the session? I can only agree with password change. B2C has no understanding of what is happening (except for password changes) it simply does what you’ve asked. All journeys issue a token at the end, you can put a self asserted page and disable the continue button, then use JavaScript to send the user to the app’s logout route if this is what you want.
In the successful policy execution, you get a token back with the unique policy id.
In a failure you get an error sent to the app. Use this to distinguish between them.
To manage the user cancelling, send an encoded state parameter with the auth request, it’ll be returned with the “cancel error” (AADB2C error user cancelled” to your app, then do the logout. Seems like very poor UX and no security gains.
This is a very good question. When the token is generated it has a lifespan of a set time. For example 1 hour.
When you use this token, it is assumed that the user is good-to-go until the token expires and a refresh token is issued.
When the refresh token is consumed is when a new validation will occur and will need to re-authenticate.
I am using Microsoft authentication for user but I don't want to keep the user credentials to be saved in cookies so that it should ask every time performing a particular action in application.
I have created a simple web app with external authentication from Microsoft but when a user gets signed in it doesn't ask user for credentials from second time and redirect to RedirectUrl directly because user information is already there in Cookies. Normally this behavior looks fine but I have certain tasks in my Web App which needs authentication from External Source (Microsoft) every time these tasks get performed by user. I tried setting token lifetime in Azure but it says lifetime can not be lesser than 10 minutes.
Note: I can't call signout user because it is not a silent signout.
How can I achieve it?
You can set prompt=login parameter in the authentication request. Then the user should be prompted to re-authenticate even if the user has already been authenticated.
Reference:
https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-oauth-code#request-an-authorization-code
https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-js-prompt-behavior
I'm building a new Web API application using OWIN cookie authentication (ASP.NET Identity 2.2) for security.
I'm new to the whole cookies thing, but I've got a head-scratching problem: How is a logged-in user immediately blocked from using the API if their account has been deactivated (either deleted or locked-out)?
This arises after a startling discovery that if I have a user logged in on a client app, and I delete their user account via a different app, they are still able to access the API (i.e. the [Authorize] filter still succeeds because their cookie is still valid).
Somebody please correct me if I'm wrong, but AFAIK, cookies are not stored on the server, so there is no way to "invalidate" the cookie.
Yes, if the user logs out, they won't be able to log back in again. Also, I understand that setting an expiry on every cookie upon successful login will mitigate the problem.
But what about the following scenario: a system administrator (let's call him JoeAdmin) gets fired or otherwise becomes untrusted and some other administrator locks out his account. If JoeAdmin happened to be logged in when he got fired and became disgruntled, he still has access to the system and can do some real damage.
In this scenario, how could JoeAdmin be blocked immediately?
JoeAdmin happened to be logged in when he got fired and became disgruntled
Also JoeAdmin could have saved the cookie value offline, awaiting for his account to be revoked, and then later restores the cookie value to his browser.
OWIN cookie authentication is not ideal if you ever need to immediately invalidate logins.
This is because all the state information about the user is stored client-side, authenticated with a secret only on the server-side.
That said, you could do something with Oauth2 refresh tokens like here. e.g. have an access token that expires after say a minute, which when expired the application has to use a refresh token in order to gain an access token for another minute.
This way, any revoked accounts are only exposed for a short time. However, you may need to deal with the complexity of out-of-sync clocks on client and server.
Long story short, if you need to secure your system in this way, traditional server-side tokens would be the way to go. They are more secure in this regard.
The risks with using OWIN cookies are very similar to those of using JWT's for authentication. See this comment and the associated question and answer.