ASP.net OWIN OAuth middleware with bearer token and changing roles - asp.net

I am using the standard ASP.net OWIN OAuth middleware system to authenticate local users with Bearer tokens. I was thinking of embedding roles as a claim in the token, but was wondering how I would be able to change a users role such as taking away admin privileges without them logging out. Any ideas?

It's always possible to implement some dirty solutions to support your problem, for example :
When the roles have changed then raise an even in a queue like RABBITMQ / NServiceBus (or via event).
The subscriber (website) will invalidate the cookie and regenerate a new one with new claims.
I don't see the issue with waiting for the cookie is expired.
In fact a bearer token (identity or access) has an "expires_in" property, so even if your cookie
is regenerated with new claims, the token is still valid in the provider.
Another remark your permissions can be returned by a UMA server, they shouldn't necessarily comes from your claims.
Take a look to this scenario : http://lokit.westus.cloudapp.azure.com/Documentation#third-scenario-limit-access-to-certain-website-features

Related

Handling Logout in .NET Core (api side) with Cookie Authentication and OpenIdConnect

I'm working on an API core application with .NET core 5.
I protected the API with the following methods:
Cookie authentication
OpenIdConnect authentication (tokens kept in cookies, provided by an identity provider)
Custom session in memorycache
I use a derivated CookieAuthenticationEvents to manage sessions, overriding the methods :
ValidatePrincipal : I check token expiration (local, no request to identity provider) and existence of user in custom session
SigningIn : add in session if not exists
It works fine, and now i wonder how to handle the Log out.
I thought about the solutions, when client hits ly Logout API endpoint:
Calling logout to identity provider. It does invalidate token, but cookies on client side aren't deleted
Deleting user in my custom session. It does work, cookies still exist on client side but ValidatePrincipal will reject since no custom session for that cookie
Are those solutions "clean" ?
Or is there a .NET way to tell client to delete cookies / invalidate cookie ?
Thank you
EDIT
I tried it does delete cookies :)
HttpContent.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme)
There is one too ut i don't understand what it does, cookies aren't deleted and token isn't revoked on identity provider
HttpContent.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme)

Owin Authentication: SSO token vs ID token

I have implemented sign-in to Microsoft to my ASP.NET web application. Everything works as intended, but I am struggling to comprehend how the sessions work. I am using OWIN middleware and OpenID connect.
What is the difference between the SSO-Token and the ID-token? Which
one keeps me logged in?
What happens if I try to access claims ( e.g.
userClaims?.FindFirst(System.Security.Claims.ClaimTypes.sid)?.Value)
from an expired ID token?
How does !Request.IsAuthenticated realize that the current user is
Authenticated after the microsoft login? Is this because The Generic
Identity, is now a Claims Identity, that returns true?
If I am logged in, and keep refreshing the site, at what point will
I be forced to Authenticate again? And what controls this time?
I understand what an ID-token is, and that it carries claims, and how I access and use the claims. I am just confused about how the session works after a user has logged in with their Microsoft account.
There is no SSO token. The id token represents proof of authentication and some basic user info is included in it. So your web app can get name, email etc.
Expiry is based on an auth cookie that the MS libraries issue. This is tied to another token, the refresh token, which represents the session time.
The id token has a digital signature that is cryptographically verified. Also your app supplies a client secret to help ensure that tokens can be trusted.
The cookie is given an expiry related to the refresh token. When the cookie expires the user has to login again.
FOR BETTER UNDERSTANDING
I would strongly recommend tracing messages, via a tool such as Fiddler, as in this blog post of mine.
Personally I prefer Single Page Apps, which only use tokens and not cookies. They make OAuth aspects easier to understand and code can be simpler, though there are still plenty of subtleties.

Provide a new token based on the refresh token without going to the client - JWT - Asp.net core

I have found many links but I didn't get the solution for my problem.
I am trying to implement the jwt refresh token in asp.net core.
For storing the refresh token, I have created the table.
Based on the jwt suggestion, for SPA application, we should not expose refresh token to the client. https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/
So I have planned like,
On user login, create the access token and share to the client
Create a refresh token for the access token and store it in the database and store it in HTTP only cookie
When user access to the authorized controller and action, If access token expire, I want to generate new token based on refresh token.
But,
In many places, I have found like, user will send a request. If it is unauthorised, then user will request for the new access token with the stored refresh token (local storage or something else) and again call to the valid api request.
I don't want to that as mentioned in the last paragraph(is that right one?).
When user send a request, if it is invalid, I want to validate the token in the server side itself and need to provide new access token and proceed with the last api call.
Is there any solution for this implementation like interpreting the authorize and validate?
In my opinion , it is dangerous to use/keep refresh token in SPA apps. Refresh token is powerful instrument , which is almost as powerful as the password itself . Store it in cookies or localStorage and both of these options are inherently insecure as they’re vulnerable to CSRF or XSS attacks against the client application . So i think it's better to just keep access token and do silent sign-in to renew it when access token expires.
So i don't think it's a good idea to return and use refresh token if client app is SPA application even using Code + PKCE .

How to validate JWT token in cookie after login with OpenIDconnect in ASP.NET Core

Currently examples like this using OIDC with Cookies:
https://andrewlock.net/an-introduction-to-openid-connect-in-asp-net-core/
and
https://stormpath.com/blog/openid-connect-user-authentication-in-asp-net-core
Dont seem to discuss how OpenID uses refresh tokens or handles expired JWT tokens in cookies.
Currently I have a working example that is able to login no problem but after the exp in the token is expired there is no refresh token sent (even though I receive one) as well as the user not being invalidated. Essentially one login persists indefinitely...
Is the OpenIDConnect middleware meant to check/handle this? I have seen examples where they implement a validator and the "unprotect" method, however I think because I am not just a bearer in my case I would need to implement the protect method also (or at least I get an error when I dont).
I've also looked at this answer here that states that its not handled at all when JWT is in cookies:
How to handle expired access token in asp.net core using refresh token with OpenId Connect
but it doesnt really say how to send the refresh token? just how to find when one is needed and then "context.ShouldRenew = true;" should fetch a new cookie??
Is this really what is needed also? seems that OIDC auth flow should handle refresh tokens without having to implement my own way of sending the refresh tokens?
Am I off track?
Any help is appreciated.

Windows Identity Foundation: How to get new security token in ASP.net

I'm writing an ASP.net application that uses Windows Identity Foundation. My ASP.net application uses claims-based authentication with passive redirection to a security token service. This means that when a user accesses the application, they are automatically redirected to the Security Token Service where they receive a security token which identifies them to the application.
In ASP.net, security tokens are stored as cookies.
I want to have something the user can click on in my application that will delete the cookie and redirect them to the Security Token Service to get a new token. In short, make it easy to log out and log in as another user. I try to delete the token-containing cookie in code, but it persists somehow.
How do I remove the token so that the user can log in again and get a new token?
I found the solution. To put it succinctly:
Dim smartWsFederationAuthenticationModule As _
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule = _
HttpContext.Current.ApplicationInstance.Modules("WSFederationAuthenticationModule")
smartWsFederationAuthenticationModule.SignOut(True)
See here for more information: http://garrettvlieger.com/blog/2010/03/refreshing-claims-in-a-wif-claims-aware-application/
I also see that I can get handles to some other parts of the WIF framework this was, as well. It's definitely worth the read.
Cookies are a bit strange. They are managed by the browser and there is no "Method" to delete them. Just deleting them from the Request or Response objects on the server side does not remove them from the browser on the client side.
To "Delete" a cookie you have to set it's expiration date to the past.
See: http://msdn.microsoft.com/en-us/library/ms178195.aspx

Resources