User stays logged in after deleting from Azure AD

孤者浪人 提交于 2019-12-24 22:36:05

问题


I've set up a small ASP.NET Core v3 webapp using Microsoft.Identity.Web from https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC

This works fine. But when I log in as userA and then delete this user from our Azure AD, the user stays logged in. How can I forge my app to regularly check if the user still exists or if his roles have changed?

From Cookie not expiring for Azure AD auth I understand I can set OpenIdConnectOptions.UseTokenLifetime = false and CookieAuthenticationOptions.ExpireTimeSpan. But I don't have these options, because (I think) this is handled by Microsoft.Identity.Web.

This is my startup.cs:

        public void ConfigureServices(IServiceCollection services)
        {
            services.Configure<CookiePolicyOptions>(options =>
            {
                // This lambda determines whether user consent for non-essential cookies is needed for a given request.
                options.CheckConsentNeeded = context => true;
                options.MinimumSameSitePolicy = SameSiteMode.None;
            });

            services.AddMicrosoftIdentityPlatformAuthentication(Configuration);
           // Start update
            services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
            {
                options.UseTokenLifetime = true;
            });

            services.Configure<CookieAuthenticationOptions>(AzureADDefaults.CookieScheme, options =>
            {
                options.ExpireTimeSpan = TimeSpan.FromMinutes(10);
                options.SlidingExpiration = false;
            });
           // End update

            services.AddControllersWithViews(options =>
            {
                var policy = new AuthorizationPolicyBuilder()
                    .RequireAuthenticatedUser()
                    .Build();
                options.Filters.Add(new AuthorizeFilter(policy));
            });
           services.AddRazorPages();
        }

Should I just add the OpenIdConnectOptions and CookieAuthenticationOptions?

Update: Fiddler response
https://localhost:44321/AzureAD/Account/SignIn:

Response sent 393 bytes of Cookie data:
Set-Cookie: .AspNetCore.OpenIdConnect.Nonce.CfDJ8DuK51tOHitCik75v2S8iWxKHxTWbTuVHpn..tFRI_4=N; expires=Mon, 18 Nov 2019 15:46:01 GMT; path=/signin-oidc; secure; httponly
Response sent 159 bytes of Cookie data:
Set-Cookie: .AspNetCore.Correlation.AzureADOpenID.391z3h71jwDryPN3B-AdSG0heYONqHJl1CVSVXQTEvA=N; expires=Mon, 18 Nov 2019 15:46:01 GMT; path=/signin-oidc; secure; httponly

https://login.microsoftonline.com/4723a546-001...:

Response sent 1012 bytes of Cookie data:
    Set-Cookie: ESTSAUTHPERSISTENT=AQABAAQAAACQN9QBRU3jT6bcBQLZNUj7uwP...mnvoIAAgAEAA8AEAAA; domain=.login.microsoftonline.com; expires=Sun, 16-Feb-2020 15:31:00 GMT; path=/; secure; HttpOnly; SameSite=None

Response sent 344 bytes of Cookie data:
    Set-Cookie: ESTSAUTH=AQABAAQAAACQN9QBRU3jT6bcBQLZNUj7wC-ZyhIlRLoQ...AAIABAACAAAAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None

Response sent 46 bytes of Cookie data:
    Set-Cookie: ESTSAUTHLIGHT=+; path=/; secure; SameSite=None

Response sent 151 bytes of Cookie data:
    Set-Cookie: ch=5skAXHVPUQU3cW85sv9gWKffR4iIPEUy-ft0Wus--nw; domain=.login.microsoftonline.com; expires=Sun, 16-Feb-2020 15:31:00 GMT; path=/; secure; SameSite=None

Response sent 50 bytes of Cookie data:
    Set-Cookie: ESTSSC=00; path=/; secure; HttpOnly; SameSite=None

Response sent 291 bytes of Cookie data:
    Set-Cookie: buid=AQABAAEAAACQN9QBRU3jT6bcBQLZNUj7TWvsgdEJ-MOKclE...UnPupXv2kGSxsgAA; expires=Wed, 18-Dec-2019 15:31:00 GMT; path=/; secure; HttpOnly; SameSite=None

Response sent 1831 bytes of Cookie data:
    Set-Cookie: CCState=Q2xJS1FHZGxaWEowYUdWa1pHVkFjM1ZpWVdSMmFXVnpM...reFV1VkFBRT0=; domain=.login.microsoftonline.com; expires=Thu, 28-Nov-2019 15:31:00 GMT; path=/; secure; HttpOnly; SameSite=None

Response sent 171 bytes of Cookie data:
    Set-Cookie: fpc=AoAEjBaP4a5AlJE4o0Jin2Ps2YtHAQAAAOmvZNUOAAAAg2kmAwIAAAC8r2TVDgAAADvINqwBAAAA2K9k1Q4AAAA; expires=Wed, 18-Dec-2019 15:31:00 GMT; path=/; secure; HttpOnly; SameSite=None

https://login.microsoftonline.com/4723a546-001../login HTTP/1.1:

Response sent 1012 bytes of Cookie data:
    Set-Cookie: ESTSAUTHPERSISTENT=AQABAAQAAACQN9QBRU3jT6bcBQLZNUj...IAAgAEAA8AEAAA; domain=.login.microsoftonline.com; expires=Sun, 16-Feb-2020 15:31:18 GMT; path=/; secure; HttpOnly; SameSite=None

Response sent 728 bytes of Cookie data:
    Set-Cookie: ESTSAUTH=AQABAAQAAACQN9QBRU3jT6bcBQLZNUj77qVSa5EFK...BAAEABAAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None

Response sent 82 bytes of Cookie data:
    Set-Cookie: ESTSAUTHLIGHT=+d4f06d0f-8cba-42f7-81cd-a996d96fcbce; path=/; secure; SameSite=None

Response sent 151 bytes of Cookie data:
    Set-Cookie: ch=o3kjZd2rB2j31dip8OtCMqqwRWCB2vyRziEz796WfUE; domain=.login.microsoftonline.com; expires=Sun, 16-Feb-2020 15:31:18 GMT; path=/; secure; SameSite=None

Response sent 50 bytes of Cookie data:
    Set-Cookie: ESTSSC=00; path=/; secure; HttpOnly; SameSite=None

Response sent 291 bytes of Cookie data:
    Set-Cookie: buid=AQABAAEAAACQN9QBRU3jT6bcBQLZNUj7jiDQCSTiR0kg-...V2qP5AgAA; expires=Wed, 18-Dec-2019 15:31:18 GMT; path=/; secure; HttpOnly; SameSite=None

Response sent 1831 bytes of Cookie data:
    Set-Cookie: CCState=Q2xJS1FHZGxaWEowYUdWa1pHVkFjM1ZpWVdSMmFXVn...NiOEFBRT0=; domain=.login.microsoftonline.com; expires=Thu, 28-Nov-2019 15:31:18 GMT; path=/; secure; HttpOnly; SameSite=None

Response sent 171 bytes of Cookie data:
    Set-Cookie: fpc=AoAEjBaP4a5AlJE4o0Jin2Ps2YtHAQAAAOmvZNUOAAAAg2...AA; expires=Wed, 18-Dec-2019 15:31:18 GMT; path=/; secure; HttpOnly; SameSite=None

Response sent 66 bytes of Cookie data:
    Set-Cookie: x-ms-gateway-slice=estsfd; path=/; SameSite=None; secure; HttpOnly

Response sent 47 bytes of Cookie data:
    Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly

Update 2:
The changes in my Startup.cs do seem to work now. I log in as UserC and then delete this user from AAD. After an hour when I change pages I need to log-in again. Which fails of course. The hour is a bit strange because I set ExpireTimeSpan to 10 min. But I'm already happy the user gets checked.
One side-note: When I now restart my application it redirects directly to login.live.com and is asking me for the password, but I can't alter the username!
In the URL I see the username as a parameter, when I remove it it does ask me for the username. But when I use another account it keeps saying my password is incorrect. Most likely because it is using my personal version and not my work version. I can't change this so I can't login into my own application anymore.
Another huge drawback is that I was also logged in on Azure Portal with my Admin account. The next morning after restarting my laptop and reopening Chrome and restoring my tabs including my tab for Azure Portal I'm now logged in as the user I used in my application. Why?? And when that user is deleted I can't log-in to Azure Portal anymore. Most likely because it is using my personal version instead of my business version.
I'm not sure if I should continue on the path of using Microsoft Identity Platform for my new application. So far it has more drawbacks than benefits for me.


回答1:


Add

            services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
        {
            options.UseTokenLifetime = true;

After your Startup call to AddMicrosoftIdentityPlatform to force cookies to use the id_token lifetime (1h). If the user is deleted or disabled, request for a new token will fail. That request will be issued within 1h of the last one. I would not change cookie lifetime to 1 min - that would result in frequent re-authentication requests, which would slow your app down, cost you $$$ (if using B2C) and could result in DOS refusal altogether.




回答2:


It is not a real answer to my problem but it is working in our case.

We have our users in Google G Suite and when we could implement MS Identity Platform into our new webapp we would configure Google G Suite to use our AAD resulting in one userbase. Because integrating MS-IP proved to be very difficult and has a lot of nasty side-effects (like changing the logins of other MS-IP powered webapps) we decided to go the other way round.

We keep our users in Google G Suite and implemented the Google Authentication using this great blog: http://blazorhelpwebsite.com/Blog/tabid/61/EntryId/4356/Google-Authentication-in-Server-Side-Blazor.aspx

Now within hours we have what we need. 1 userbase and after logging in showing the name and profile picture in the header.



来源:https://stackoverflow.com/questions/58833240/user-stays-logged-in-after-deleting-from-azure-ad

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!