The problem I've experienced with claims based solutions in web apps so far is that if, on the SSO server, I revoke claims or delete the user account, the user's token is still in their cookies and is therefor still valid until the token expires, allowing them to continue to access the web app. Is there a way to force update a user's token or force revoke a token (or just check back with the identity server every time the user tries to load a page?) as soon as a change is made on the server? The same goes for updating claims... sometimes we add rights. It's very annoying to users to have to logout and log back in. Please help. We're using C# Web Apps and Thinktecture IdentityServerv3
Asked
Active
Viewed 1,233 times
0
-
If you're changing claims so frequently, then perhaps you should not put them into the cookie. It is a copy of the claims, of course. – Brock Allen Apr 27 '16 at 16:06
-
@BrockAllen How can I still use claims but not put them into the cookie? Also, is there any way to unauthorize a user so they can't use the site anymore if I delete their account from IdentityServer? – Pugz Apr 27 '16 at 16:08
-
You can use claims transformation or just make round trips to the DB if/when you need more info about the user. That's the trade off for not putting the claims in the cookie. – Brock Allen Apr 27 '16 at 19:30
-
@BrockAllen I must be missing something... I've got IDS deployed and it looks to me that the cookie always has all of the tokens. How do I go about making round trips to the DB from the application (I don't know what you mean exactly by this... do you mean round trips to IDS??) – Pugz Apr 27 '16 at 19:46
-
https://leastprivilege.com/2015/11/25/reference-tokens-and-introspection/ – leastprivilege Apr 27 '16 at 20:04
