2

I have a .NET Core webapp that uses Azure Active Directory to authenticate users. I have configured the app access in Azure AD and then I put this in my Startup class:

//Use Azure Active Directory OAuth 2.0 authentication
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
        .AddAzureAD(options => Configuration.Bind("AzureAd", options)); //AzureAD settings are stored in appsettings.json

This work correctly and users can successfully authenticate with their Azure AD company account.

However, inside one of my controllers I need to check which security groups the user is a member of, to perform some security checks. So I use this code to check if the user is part of a certain security group:

var groupClaims = User.HasClaim(claim => claim.Type == "group" && claim.Value == mySecurityGroupUid);

This works... kind of.
The problem is that the collection of Claims inside the User object is only updated when the user logs out of the web app and logs back in. If the user does not explicitly log out of the webapp and log back in, the list of claims does not update.

This is a big problem, because it means that if, for example, I remove a user from a security group, that change will not be reflected in my webapp until the user logs out. This means that the user might be able to access data that he is not authorized to access anymore, because the webapp still thinks he belongs to the old set of groups.

Even stopping and re-deploying the web application does not update the groups, the only way I found to force the groups to update is to have the user explicitly logout of the webapp and log back in.

So my questions are:

  • Is this the intended behavior? Or am I doing something wrong?
  • Is there a way to force the list of claims to "sync" with Azure AD?
  • If not, is there a way I can forcibly log out all users when my webapp stops and restarts, so I know all users are forced to log back in, which in turn will update their claims?
Master_T
  • 7,232
  • 11
  • 72
  • 144
  • Claims are stored inside a cookie and stays there until cookie expires. I've been working with AD and custom claims providers. In those cases, I've cached claims for e.g. one hour. – Roar S. Dec 10 '20 at 18:54
  • You're right, that's why I asked my 3rd point: if I can ensure that after I restart the app all existing sessions are purged, it would work ok. I've found a possible solution here on SO, I'll post it tomorrow if noone comes up with a better one – Master_T Dec 11 '20 at 08:43
  • I think azure web service is designed for 7*24 running, so I don't think there's a way will make forcibly log out when web app stop. And my idea is setting a session expired time so that each account need sign in again in serval minutes later. – Tiny Wang Dec 16 '20 at 07:15
  • My app is not hosted in azure web services, it just uses azure active directory for authentication, but it's hosted on a dedicated server. I found a solution to the problem by implementing a custom ticket store, check the link in my answer for more details. – Master_T Dec 17 '20 at 16:57

1 Answers1

2

I solved this by using the implementation posted here:

https://stackoverflow.com/a/51210553/300741

This approach uses a ram-backed server-side object to store session data, so instead of all user info and claims being in the cookie they're stored on the server and the cookie just contains a token that the server uses to identify the session. This guarantees that sessions are cleared when the webapp restarts, solving my problem.

Master_T
  • 7,232
  • 11
  • 72
  • 144