0

I have a Blazor server-side application that uses .NET core 3.1. It uses Microsoft.AspNetCore.Authentication.Negotiate to authenticate user through Windows Credentials/Active Directory.

The issue I have is how to sign out user. After various research I found out that certain external authentication methods do not support sign out. For example Windows/AD does not need to be explicitly signed out. The only thing you need to do is clean identity and Claims principles locally in application. That is what I am having trouble with. The user also signs out automatically when you close browser.

I am using this middle ware to authenticate using Negotiate and am trying to clean claims of user during sign out. But it doesn't work. 

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Authentication;

namespace Test.Middleware
{
    internal class ValidateAuthentication : IMiddleware
    {
        public async Task InvokeAsync(HttpContext context, RequestDelegate next)
        {
            try
            {
                if (context.User.Identity.IsAuthenticated)
                {
                    await next(context);
                }
                else
                {
                    await context.ChallengeAsync("Negotiate");
                }
            }
            catch(InvalidOperationException) // this is for Windows/Negotiate sign out
            {
                context.User = new System.Security.Claims.ClaimsPrincipal();
            }
        }
    }
}

Here is my configuration of services

public void ConfigureServices(IServiceCollection services)
{
      services.AddRazorPages();
      services.AddServerSideBlazor();
      services.AddElasticsearch(Configuration);
      services.AddHttpContextAccessor();
      services.AddScoped<ValidateAuthentication>();
      services.AddAuthentication(NegotiateDefaults.AuthenticationScheme).AddNegotiate();
}

Expected result is for user to be signed out. But the actual result is user remains signed in.

Mykhailo Bykhovtsev
  • 482
  • 3
  • 15
  • you can't "sign out" of a windows-authenticated app. Because next time you visit the app, the app will just detect your identity and recognise you again. A better question would be - why do you think you need a "sign out" feature in this situation? Why do you think you need to clear the claims etc? Any data held in the server's memory will expire when the session does. But it doesn't matter a lot really because next time the user visits the app, it'll be loaded again automatically. So what? I don't really see what problem you think you're solving here. – ADyson May 19 '20 at 18:26
  • Actually it does not keep the identity in browser. Whenever user closes their browser, the application seems to forget about them and makes them log in again using windows/AD credentials. It just would be great to have manual option for people to sign out, instead of closing browser every time they want to sign out. – Mykhailo Bykhovtsev May 19 '20 at 19:04
  • "makes them log in again"...you mean it pops up a little confirm box to ask for their username and password? This usually happens only in browsers which don't have the capability to obtain a Kerberos token automatically. IE and Edge can usually do it automatically. Chrome can be configured to do so too, I believe. Firefox or Safari, not so much - they generally require the user's credentials in order to generate a valid token. It's not the application forgetting them, it's the browser needing to obtain a security token to meet the 401 challenge response from the server – ADyson May 19 '20 at 20:49
  • "It just would be great to have manual option for people to sign out, instead of closing browser every time they want to sign out"...why, what would it achieve? With Windows Auth the whole point is to be automatically recognised, and not need to sign in and out. The whole idea is to be authenticated already, wherever you go within the corporate network. What would anyone gain by signing in and out? Generally they don't need (and mostly it wouldn't be desirable for them to be able) to access the application with a different identity. – ADyson May 19 '20 at 20:50
  • That is because the application I develop part of requirements it to be able to use AD/Windows credentials to log in. But also part of specifications is to make application always require user to sign in and also sign out for security purposes. I agree that if you are already logged into computer, you already have access. But such are the requirements. That is interesting to know that only Chrome by default requires token. So essentially there is no way to do what I want to as I understand what you said. – Mykhailo Bykhovtsev May 19 '20 at 21:09
  • "That is interesting to know that only Chrome by default requires token."...that's not what I said at all. I said that IE and Edge can usually get a Kerberos token without any user interaction. I also said that Chrome can be configured to do so I believe - usually done via Group Policy in a corporate Windows network, and that, to my knowledge, Firefox and Safari will always need to ask the user for explicit credentials in order to generate the token (these credentials are then validated by Active Directory, and a security token is returned, which is then sent to the application). – ADyson May 19 '20 at 21:12
  • "But also part of specifications is to make application always require user to sign in and also sign out for security purposes."...well maybe the specification needs to be changed then, because it doesn't make a lot of sense in this context. There's no "security purpose" needed - the user is already authenticated due to their Windows identity, end of story. Making them sign in and out just annoys them, it doesn't improve security, because their identity is already known. I don't know who wrote your specification but it needs reviewing. – ADyson May 19 '20 at 21:16

0 Answers0