IdentityServer3 icon indicating copy to clipboard operation
IdentityServer3 copied to clipboard
verified publisher icon IdentityServer

Authentication Session Invalidation

Open mlyczek opened this issue 9 years ago • 1 comments

Hi, I read the documentation about Authentication Session Invalidation. It seemed like a perfect solution for our need. We need to prevent logged in users from accessing our client application (ASP.NET MVC) once they get disabled. Checking the disabled flag in the IAuthenticationSessionValidator correctly presents the user with log in page once we terminate their session in our client application and they are redirected to IdentityServer. The problem is that the authentication cookie from IdentityServer is still there so the session wasn't really invalidated when the IAuthenticationSessionValidator returned false. This results in a situation that once our user are enabled again during the lifetime of that cookie he gets access to our client application without the need to authenticate again (which is what we are trying to accomplish).

Is this behaviour correct and expected by design or am I misunderstanding something (which may be true)? Wouldn't it be better to remove the authentication cookie after the validator returns false in ConfigureCookieAuthenticationExtension.cs as suggested on Brock Allen's blog post?

var validator = cookieCtx.OwinContext.Environment.ResolveDependency<IAuthenticationSessionValidator>();
var isValid = await validator.IsAuthenticationSessionValidAsync(new ClaimsPrincipal(cookieCtx.Identity));
if (isValid == false)
{
    cookieCtx.RejectIdentity();
    // cookieCtx.OwinContext.Authentication.SignOut(ctx.Options.AuthenticationType);
}

mlyczek avatar Oct 06 '16 08:10 mlyczek

Yea, we could...

brockallen avatar Oct 06 '16 12:10 brockallen