[英]Clear all cookies from browser does not sign out users from Azure AD
I have set specific cookie expiration policies in my Azure AD setup in my program.cs file however regardless of if the cookie expires refreshing the page just reloads all the cookies back again instead of forcing them to relogin.我已经在我的 program.cs 文件中的 Azure AD 设置中设置了特定的 cookie 过期策略,但是无论 cookie 是否过期,刷新页面都会重新加载所有 cookie,而不是强制它们重新登录。 Is this not controlled by ASP.NET Core?
这不是由 ASP.NET Core 控制的吗? I cannot figure out how to do this.
我不知道该怎么做。 I want a user to have to relogin if the cookie is no longer valid as it starts to cause CORS errors on the page once it expires for every api call it makes to my controllers (all of which use Authorize tag).
如果 cookie 不再有效,我希望用户必须重新登录,因为一旦它对我的控制器进行的每个 api 调用(所有这些都使用 Authorize 标记)过期,它就会开始在页面上导致 CORS 错误。
My program.cs is as follows:我的program.cs如下:
//authentication pipline
builder.Services.AddHttpContextAccessor();
var initialScopes = builder.Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(options =>
{
builder.Configuration.Bind("AzureAd", options);
options.Events = new OpenIdConnectEvents
{
//Tap into this event to add a UserID Claim to a new HttpContext identity
OnTokenValidated = context =>
{
//This query returns the UserID from the DB by sending the email address in the claim from Azure AD
string query = "select dbo.A2F_0013_ReturnUserIDForEmail(@Email) as UserID";
string connectionString = builder.Configuration.GetValue<string>("ConnectionStrings:DBContext");
string signInEmailAddress = context.Principal.FindFirstValue("preferred_username");
using (var connection = new SqlConnection(connectionString))
{
var queryResult = connection.QueryFirst(query, new { Email = signInEmailAddress });
var claims = new List<Claim>
{
new Claim("UserID", queryResult.UserID.ToString())
};
var appIdentity = new ClaimsIdentity(claims);
context.Principal.AddIdentity(appIdentity);
}
return Task.CompletedTask;
},
};
}, CookieOptions =>
{
CookieOptions.SlidingExpiration = true;
CookieOptions.LoginPath = "/Login/";
CookieOptions.LogoutPath = "/Logout/";
CookieOptions.ExpireTimeSpan = TimeSpan.FromMinutes(15);
})
.EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
.AddMicrosoftGraph(builder.Configuration.GetSection("DownstreamApi"))
.AddInMemoryTokenCaches();
I was hoping once that cookie expires it would force them to the login path indicated in the cookie options on the next page refresh or API call to the controller but it does nothing.我希望一旦 cookie 过期,它会强制他们进入下一页刷新时 cookie 选项中指示的登录路径或对控制器的 API 调用,但它什么都不做。
I trust you already noticed that, when you integrate Azure AD into your app, you can sign in by redirect to microsoft identity page, and when you want to sign out, you also need to redirect to microsoft identity page to choose an account to sign out.相信你已经注意到,当你将 Azure AD 集成到你的应用程序中时,你可以通过重定向到微软身份页面登录,当你想要退出时,你还需要重定向到微软身份页面来选择一个帐户进行签名出去。 And this is why you can't set the user login expire time by only changing the cookie lifetime.
这就是为什么您不能仅通过更改 cookie 生存期来设置用户登录过期时间的原因。
You signed in identity platform and Azure AD will give your app an id token, then the cookie authentication in your local app will generate cookie value and stored it in the browser.您登录身份平台,Azure AD 会给您的应用程序一个 id 令牌,然后您本地应用程序中的 cookie 身份验证将生成 cookie 值并将其存储在浏览器中。 When you delete the cookie or it has been expired, it should redirect back to microsoft identity page, but actually the user already signed in with the microsoft account and the sign in information hasn't been expired that time so that it wouldn't require to enter username/password but return with the id token directly.
当你删除 cookie 或它已经过期时,它应该重定向回微软身份页面,但实际上用户已经使用微软帐户登录并且登录信息尚未过期,因此不需要输入用户名/密码但直接返回 id 令牌。 Finally a new cookie was generated and authentication done.
最后生成了一个新的 cookie 并完成了身份验证。
According to your requirement, I'm afraid you can going to this document to find a good policy for you to set up in your Azure AD, you need to use the Conditional Access Administrator, Security Administrator, or Global Administrator account
to sign in Azure portal to set the policy.根据你的要求,恐怕你可以去这个文档找到一个好的策略让你在你的 Azure AD 中设置,你需要使用
Conditional Access Administrator, Security Administrator, or Global Administrator account
登录 Azure设置策略的门户。 Going to Azure Active Directory > Security > Conditional Access
for adding the policy.转到
Azure Active Directory > Security > Conditional Access
以添加策略。 But it require Premium pricing tier.但它需要高级定价层。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.