5

I have a simple ASP.Net Web-APP using Azure AD with Role/Claims Authentication/Authorization. Basically app checks IsinRole() for the user and then depending on what is returned he gets access to the area of the web-app. We are using SECURITY GROUPS in Azure AD. Scenario here is a User belongs to Group1 and upon login to web-app he gets access to Group1 area, now Administrator at the backend adds the user to Group2 as well what we want is without the user loging out and loging back-in the portal we want his token to contain this newly added Group2 as well. Is there anyway to refresh the token to have the additional group2 added for that users token without him loging out and in the app?

Any way to force refresh the token with new information?

Appreciate your help.

Thank you.

user42012
  • 722
  • 12
  • 33

1 Answers1

3

Refresh Token to Acquire new Access Token

One approach could be to use a Refresh Token to acquire a new Access Token if you're using a grant like Authorization code grant in your web application.

You can read more about it here - Refreshing the Access Tokens

Your application will need to decide when to acquire a new access token.. so it can do that when it's aware that group membership has been updated by a backend component/admin.

Now a separate topic that you haven't mentioned much about is how would your web application where user is already signed in, get to know about such an event, but something like a SingalR notification could possibly help.

Things to note:

  • Working with Refresh tokens can be a little brittle as they can get revoked for reasons not controlled by your app (e.g. password change for user, expiration although that's long and other reasons too). In case of such errors, getting a new authorization code would be the only option left.

  • Refresh tokens must be kept securely

  • Specifically in case of groups claims there can be overage scenarios where access token alone may not help.

Alternative approach (instead of trying to force refresh the token with new information as you mention)

If groups claim is what you're after, then make use of Microsoft Graph API to get information about security groups that user belongs to instead of looking at just the access token.

Your application code can call Microsoft Graph API again at any point to get new membership details i.e. Group 1 and Group2 as per your example (when it's aware that group membership has been updated by a backend component/admin). SignalR or some other way to notify your app of such changes would be relevant here as well.

Relevant Microsoft Graph API's

  • user:GetMemberGroups

    POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/getMemberGroups

    This is just one that seems relevant to me, but there are other similar API's like memberOf and you can choose based on your requirement.

Advantages

  1. You get around any overage scenarios where user belongs to many groups, so access token doesn't provide you all the group information you need any way.

  2. You don't need to force a logout and login back again for user in order to get access token with fresh information.

Overage Scenario details for groups claim in access token

Currently you may have edited your application's manifest and set "groupMembershipClaims" property to "All" or "SecurityGroup" so that access token gets groups claim with all group ids to which user belongs

enter image description here

To ensure that the token size doesn't exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in the groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user's group membership.

Rohit Saigal
  • 9,317
  • 2
  • 20
  • 32
  • Thank you Rohit (Rohit Saigal), I was actually creating a demo for the AD WebApp Role Claims sample(https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-roleclaims/). Everything is working fine just that for now when I move the user from GroupA to GroupB. I have to logout of the App and logback in to check the changes. I like your implementation approach just that with 8 more hours in my hand before my demo I was thinking if there was a wayout here without login/logout. Thank you! – user42012 Apr 09 '19 at 23:59
  • ok got it.. another approach could be to use **refresh token** to get new **access token** without prompting user for credentials again.. I think that group/role claims should be refreshed in new access token, but haven't tested it.. You can read about it here https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code#refreshing-the-access-tokens .. Although this approach may be a little more brittle as refresh tokens can get revoked for multiple reasons.. also in case of group claims, overage scenarios won't be tackled in this approach.. Good luck with your demo! – Rohit Saigal Apr 10 '19 at 01:36
  • 1
    Thank you Rohit, appreciate your follow up and detailed response. – user42012 Apr 11 '19 at 00:02
  • Rohit, do you have an idea about implementing AquireTokenSilently() in .netcore?https://stackoverflow.com/questions/57134759/refresh-access-token-using-acquiretokensilent – NewBieDevRo Jul 22 '19 at 20:10