7

Situation

Let's say an administrator of a site removes a user from the Admin role and adds her to the Contributor role. According to the site's database, that user has been demoted and should no longer have access to Admin-only features. Now the user comes back to the site some time after that change, but had logged in sometime before the change and is still logged in. So long as that user does not log out, she will continue to have claims that say she is in the Admin role. If she logs out, or gets logged out, she loses the claim that she belongs to the Admin role and when she signs back in receives the new claim of belonging to the Contributor role.

Desire

What I would like to happen, perhaps the next time the user requests a page from the site after the administrator made the change, is have that user transparently lose the Admin role claim and gain the Contributor role claim without them having to sign out or do anything special. In fact, I would prefer they are unaware of the change, except that her menu has changed a little because she can no longer perform Admin-only activities.

How would you handle this situation in a way that is invisible to the affected user?

My thoughts

I am using ASP.NET MVC 5 and ASP.NET Identity, but it seems like a solution to this could be easily generalized to other claims based frameworks that utilize cookies. I believe that ASP.NET Identity stores claims in the user's cookies by default in MVC 5 apps.

I have read the following post along with many others on SO and it comes closest to answering this question but it only addresses the case where the user updates herself, not when someone else like an administrator makes the change to her account: MVC 5 current claims autorization and updating claims

Community
  • 1
  • 1
Jeremy Cook
  • 20,840
  • 9
  • 71
  • 77

1 Answers1

3

There is a feature in Identity 2.0 which addresses this, basically you will be able to do something like this which adds validation at the cookie layer which will reject users who's credentials have changed so they are forced to relogin/get a new cookie. Removing a role should trigger this validation (note that it only does this validation check after the validationInterval has passed, so the cookie will still be valid for that smaller timespan.

app.UseCookieAuthentication(new CookieAuthenticationOptions {
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account.  
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});
Rey
  • 3,663
  • 3
  • 32
  • 55
Hao Kung
  • 28,040
  • 6
  • 84
  • 93
  • Does this support automatically re-authenticating them with the new claims, or will this sign them out and send them to the login page? I'm guessing the answer is yes and that's the `regenerateIdentity` bit but just want to confirm for my sake and others'. – Jeremy Cook Feb 11 '14 at 18:56
  • No regenerateIdentity will be called to refresh the claims every validateInterval, it won't sign them out unless something in caused their security stamp to change (changed password, removed login) – Hao Kung Feb 14 '14 at 19:42
  • 1
    Thank you, but I'm not sure I understand. Does that mean an administrator changing a user's role cause their security stamp to change? If the security stamp changes, does that result in a sign out the next time they issue a request to the site and cause the user to be directed to the login page? – Jeremy Cook Feb 14 '14 at 20:47
  • Changing a role doesn't affect the security stamp, as that just surfaces as a claim and will be refreshed automatically every time the interval passes. The only time a user gets signed out/redirected, is if someone changes the password via a different browser/client (your app should explicitly call sign in for the user on the pages that they are changing passwords, removing logins, etc), such that the stored cookie fails validation. – Hao Kung Feb 14 '14 at 22:40
  • Sounds like the answer is "Soon, when Identity 2.0 goes live." Looking forward to it! – Jeremy Cook Feb 14 '14 at 23:29