3

In this post there is a discussion of multiple policies in B2C to secure different endpoints, thereby forcing someone to login again for more sensitive resources.

This sounds great, and was echoed in this SO post where examples of Facebook or Google were given.

I've tried implementing this, setting two acceptable policies on one controller and a single policy on another.

And if you choose the page with the less secure policy and login, and then you choose the other page with the more secure policy, you're asked to login again. So far, so good.

But now the cookie contains the short lived expiration from the secure policy, so you'll be asked to login again after that cookies expires, even though your cookie from the original less secure login is still valid. And your stuck logging in repeatedly after the short interval of the more secure cookie.

How do I tell it to switch back to use the still valid old cookie (if it even still exists)?

I've been thinking about this and I'm not sure if a better way to handle it is to check the issued at claim in the authorization policy to see if it was recent enough and if not, return unauthorized so they'll be forced to login again. They'll get another long lived token at that point, with a new issued at claim and they're good to go anywhere on the site.

Any ideas?

TIA

Community
  • 1
  • 1
Bill Noel
  • 1,120
  • 9
  • 21
  • Were you able to solve this? Attempting to implement something similar and can see that I'm probably going to run into the same issue. – justrhysism May 01 '18 at 00:31
  • 1
    If I remember correctly, I bailed on the idea entirely. My application is part web, part native and I ended up moving to permission claims inside a token/cookie that I created my self. I really like B2C, but it's easy to get caught up in the cookbook details and then have them drift out from under you. I use the identity token from B2C and then take it from there. And yes, I had to handle refresh tokens myself, too. Everyone says don't put permissions in access tokens, but I've kept this list short and the permissions small. I have no public API and besides, I've to get to market someday. – Bill Noel May 01 '18 at 15:52
  • 1
    Thanks for taking the time to respond. Unfortunately, I don't have the option of bailing - may have to figure it out on my own, blog about it, and then fix it when someone finally tells me _how_ I've done it wrong haha - Thanks again – justrhysism May 01 '18 at 23:19

0 Answers0