We develop an multi-tenant application based on Identity authentication. Each user get a token session, stored in database, to tell if the user is still connected (with expiration time). I store the token (and others informations about the user company) in user Claim. After that Identity detect that the user is still connected (or not), I need to check if the user token is still valid in our database (but only if he's connected), so I implemented AuthorizationHandler.
public TokenValidHandler(MyDatabaseService service)
{
// No information about the user connection string
}
protected override async void Handle(AuthorizationContext context, TokenValidRequirement requirement)
{
// Check the token in database
}
And I register my Handler like this :
services.AddAuthorization(options =>
{
options.AddPolicy("TokenValid",policy => policy.Requirements.Add(new TokenValidRequirement()));
});
services.AddSingleton<IAuthorizationHandler, TokenValidHandler>();
Because we have an multi-tenant application, when the user quit the application and re-open the site, his connection string is lost (and we don't want to persist database string), so I use informations stored in Claim to recover the database access. If the authentication expired, no informations are available in Claim, so I cannot access to my database.
As I can see, TokenValidHandler is instanciated even if the user is not connected, is that normal ? Because in the case he's not, and I wanted to use dependency injection for my database service, I cannot because informations about the user database access are not here : Identity is not detecting soon enough that the user authentication expired. Any ideas about that ?
