2

We use IdentityServer to handle SSO authentication across our apps.

My application is an Aspnet core 3.0 website that passes the users Token to javascript. The javascript then calls a separate aspnet 2.2 API.

Problem: Logging a user out and back in does not update the ClaimsPrincipal on the API with new claims.

I have confirmed that the Web application has the new claims.

If I login Incognito or clear my cookies the new claim shows up in the API.

I am not sure where the responsibility for getting the claims should be and how to fix it. I assume the claims are part of the encrypted access_token, therefore I assume the Web app is sending a stale access_token to the API. So is the Web App what I need to fix? And what would be the proper fix?

Api Startup Code

services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = "Bearer";
                options.DefaultChallengeScheme = "Bearer";
            })
            .AddJwtBearer(options =>
            {
                options.Authority = oidcSettings.Authority;
                options.Audience = oidcSettings.ApplicationName;
                options.RequireHttpsMetadata = true;
            });

Web App Startup Code

services.Configure<CookiePolicyOptions>(options =>
{
    options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
    options.OnAppendCookie = cookieContext => { cookieContext.CookieOptions.SameSite = SameSiteMode.None; };
    options.OnDeleteCookie = cookieContext =>
    {
        cookieContext.CookieOptions.SameSite = SameSiteMode.None; // this doesn't appear to get called.
    };
});

services.AddAuthentication(options =>
{
    options.DefaultScheme = "Cookies";
    options.DefaultChallengeScheme = "oidc";
}).AddCookie("Cookies", options =>
{
    options.SlidingExpiration = false;
    options.ExpireTimeSpan = TimeSpan.FromHours(8);
})
.AddOpenIdConnect("oidc", options =>
{
    options.Authority = oidcSettings.Authority;
    options.RequireHttpsMetadata = true;

    options.ClientId = oidcSettings.ClientId;
    options.ClientSecret = oidcSettings.ClientKey;
    options.ResponseType = OpenIdConnectResponseType.Code;

    options.SaveTokens = true;
    options.GetClaimsFromUserInfoEndpoint = true;

    options.Scope.Add("offline_access");
    options.Scope.Add(oidcSettings.ApplicationName);
    options.ClaimActions.MapJsonKey("role", "role"); // claims I am looking for are mapped here
    options.Events.OnUserInformationReceived = async (context) =>
    {
        await Task.CompletedTask; // confirmed that after new sign in I can see updated info here.
    };
});

TLDR: Javascript from Web app calls Api using access_token. When user logs out and logs back in, the API does not receive updated claims. I am not sure if the issue is the API needs to call out to identity server for user info or the Web App is not signing out properly and needs to send a fresh access_token?

KaijuuLambdaFighter
  • 31
  • 7
  • "ClaimsPrincipal on the API": this principal contains the information from the Access Token. If you can examine the token at a website like https://jwt.io then it's likely that the claims are indeed not part of the token. Question is, what claims are you missing? Please note that not all claims make it to the access token. Perhas [this question](https://stackoverflow.com/questions/53976553/identityserver4-role-based-authorization-for-web-api-with-asp-net-core-identity) and answers can help you. –  Jun 18 '20 at 09:53
  • Thanks. I used that jwt.io site and it looks like the access_token is missing the new claim, but the auth time on the token is correct. So I assume the issue is in IdentityServer. If I clear cookies, the access_token has the new claim. – KaijuuLambdaFighter Jun 23 '20 at 18:04
  • Where did you clear the cookies? At the IdentityServer website? –  Jun 23 '20 at 18:21

0 Answers0