0

We have 2 MVC applications as clients and an Identity Server 4.

We have setup cookie middleware and openIdconnect using owin.

Client 1 has a cookie lifetime of 40 minutes.

Client 2 has a cookie lifetime of 10 minutes (maybe it's more strict for security reasons)

We send max-age = session_length in the autzorization endpoint but in some cases we want to send the user immediately for re-authentication (for security reasons).

So, we decided to send max-age=0 in these cases.

So our problem is if we need to send the user for re-authentication before client cookie is expired, the user will be redirected to Identity Server with max-age=0 but what happening if a user hits again the client login page, the user will be redirected with max-age=session_length and the user will get tokens.

How can we protect the client? The user is not authenticated so we don't know which user it is. How can we store information about the users previous activity? For example, where can we store the previous max-age value? So if the user tries to access the login page again we will know the correct max-age value.

Donpoulio
  • 11
  • 3
  • the explanation is a bit messy, not sure what you really want: just to make identityserver redirecting to login page each time you perform the auth request (no session for identityserver itself = no sso)? – d_f Feb 16 '22 at 15:04
  • You say "the user is not authenticated so we don't know which user it is", but that is only the identity provider's prerogative not the client's to decide whether the user is authenticated or not. It looks your picture is a bit up side down. – d_f Feb 16 '22 at 15:18

2 Answers2

1

I think that you are using the wrong mechanism. To force a reauthentication you should set prompt=login and not use max-age,

Anders Abel
  • 67,989
  • 17
  • 150
  • 217
  • Yes, you can trigger re authentication using both prompt=login and max-age=0. Check this: https://auth0.com/docs/authenticate/login/max-age-reauthentication But it doesn't mean that resolve my problem. – Donpoulio Feb 08 '22 at 18:20
1

When the max-age parameter is sent during an OpenID Connect authorization redirect, it is issued in the ID token as an auth_time claim. There will be a separate one of these for each of your clients.

So given an incoming request, inspect cookies, get the ID token, and see if the auth_time is exceeded. If so (or if there is no valid application cookie) send these parameters as Anders says:

prompt=login, max_age=sessiontime

Otherwise send just this:

max_age=sessiontime

This mechanism is often used when you cannot get the desired logout usability or reliability. Just remove tokens from the app on logout and avoid a logout redirect to the Authorization Server.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24