1

Good day all,

I have a web site hosted in Azure. It's running on .net core 3.1 using Blazor as a front end. I am using OAuth 2.0 and OpenID Connect with the Microsoft Identity Client 4.14 to authenticate users to the site. I also make API calls to Azure where I use Delegated Permissions requiring consent.

I want to implement site security and still allow the user to use their OAuth credentials.

  1. I want the user to not have to create credentials specifically for this site.
  2. I want to take advantage of Microsoft Identity Platform permissions, consent, etc.
  3. I would like to set an idle timeout.

Here is the part I can't figure out how to achieve.

  1. When a user is on the site and has sat idle for a specific period of time(I'll use 15 minutes as an example), I want the page to lock so the user has to re-enter credentials.
  2. If the user closes the browser and attempts to access the site again, I would like him to be challenged for credentials again. I realize this also means the initial access to that site would also require credentials to be entered.
Gary Tuttle
  • 19
  • 4

2 Answers2

0

If you are using standard OIDC flows, after authentication, the users login timeout experience is between the web application (relying party) and the browser, and is running using standard web sessions. You can simply time out the user based on 15 minutes of inactivity or on browser close, and you should be able to achieve your desired behavior.

Sahil Malik
  • 101
  • 4
  • Sahil, Thank you for the response but it seems as though you repeated my question as a statement. I still don't know what I need to do to force the user to enter credentials (password at least) once I determine he has been idle for too long. With OAuth I can't log him out. I could redirect the user to another page but, simply opening the URL to the site in question will log them in, without asking fro credentials. Please be more specific as to what I can do. Can I force the user to enter their OAuth password to enter this site and not auto-login. Otherwise a timeout serves no purpose.TY – Gary Tuttle Aug 08 '20 at 05:25
  • Once the website nullifies the session, the user is anonymous at that point. Your website should then redirect the user to the authentication provider. If the authentication provider isn't doing SSO or KMSI, the user will be forced to reauthenticate. This should effectively achieve what you are looking for. – Sahil Malik Aug 09 '20 at 06:16
  • Sahil, I'm trying to understand the underlying code for this whole process, so please excuse the basic questions. I'm using Blazor and there is no session to timeout. So when you say "the website nullifies the session", that would be the equivalent of "I have identified a 15 minute idle time" with java script or something. Unless you know something I don't. That is of course very likely. You said "Redirect to authentication provider". Does that mean to call the "https://login.microsoftonline.com/common/oauth2/v2.0/token" endpoint and request new token instead of using the refresh token? – Gary Tuttle Aug 10 '20 at 15:18
  • Okay I misunderstood. I thought you had a server side component and the session was between client and server. Either way, if this is purely client side, then you are using either implicit flow or PKCE. In either scenario the client will need to set the idle timeout timer, and delete the access token (and refresh token if PKCE) and re-initiate the sign in experience. OIDC is stateless, both the client and the server cannot directly tell each other what to do. i.e. the client cannot "ask the OAuth provider to authenticate". The client can only invalidate the session, which will cause a relogin. – Sahil Malik Aug 10 '20 at 22:31
  • I do have a server side component but, I'm using Blazor as I mentioned above. There is no server side session with a Blazor app over a SignalR connection. There is nothing to persist client data across multiple requests or pages. There is no server side session to invalidate. Please tell me if I'm wrong about that or if there is something I'm missing here. – Gary Tuttle Aug 11 '20 at 13:20
  • There are two parts to this. (1) How to force the user to login again once a specific idle time has expired. Answer: Delete the token and refresh token, and initiate the request for a new token (New sign in experience) to have the user login again. (2) How can I force the user to enter credentials? You said "The client cannot ask the OAuth provider to authenticate" Does that mean: there is no way for me to force the entry of a username or password if the user is using SSO? – Gary Tuttle Aug 11 '20 at 13:31
  • Sahil, Please confirm point number 2. I don't want to go down a path of additional security development if I don't have to. (2) How can I force the user to enter credentials? You said "The client cannot ask the OAuth provider to authenticate" Does that mean: there is no way for me to force the entry of a username or password if the user is using SSO? – Gary Tuttle Aug 12 '20 at 16:14
  • Hello? Is there a security model or strategy for this, using OIDC? To take advantage of all that OAuth has to offer and yet the little extra security of entering credentials to access a specific site? This allows for a timeout with security. – Gary Tuttle Aug 13 '20 at 16:29
0

I'm posting this answer to see if there is a better answer. The only thing I don't like about this solution is that the user is left at the prompt "What account do you want to logout of" after they have timed out.

So here's what I did. I have configured OpenID connect in the Startup.cs class. If I add "prompt=login" to the Startup.cs class>ConfigurServices>OpenIDConnecOptions,(see image below), it will force the user to enter their credentials after the logout link has been executed. It's an option to negate "single sign-on"

How it works - When you programmatically execute the logout URL (siteUrl + "AzureAD/Account/SignOut"), it will take you to a page that prompts "What account do you want to logout of". Even if the user does not logout of the account, they are logged out of your application and will need to re-enter credentials. This is the only way I can seem to inform the identity server to we need to re-authenticate this user.

I think it's important to note that, once you make this code change to the startup.cs, you must logout once to see all the effects of the change in other browsers and tabs. I'm guessing the identity server stores this information as a parameter(prompt=login). Guessing!

I used JavaScript to create the idle timeout and automate the creation and click event for the logout link. I got the JavaScript idea for the idle timeout from this video. "https://youtu.be/cOV0uV_E6bU". Works well.

Startup.cs class

Gary Tuttle
  • 19
  • 4