清除浏览器中的所有 cookie 不会从 Azure AD 中注销用户

Question

I have set specific cookie expiration policies in my Azure AD setup in my program.cs file however regardless of if the cookie expires refreshing the page just reloads all the cookies back again instead of forcing them to relogin. Is this not controlled by ASP.NET Core? I cannot figure out how to do this. I want a user to have to relogin if the cookie is no longer valid as it starts to cause CORS errors on the page once it expires for every api call it makes to my controllers (all of which use Authorize tag).

My program.cs is as follows:

    //authentication pipline
builder.Services.AddHttpContextAccessor();
var initialScopes = builder.Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApp(options =>
                {
                    builder.Configuration.Bind("AzureAd", options);
                    options.Events = new OpenIdConnectEvents
                    {
                        //Tap into this event to add a UserID Claim to a new HttpContext identity
                        OnTokenValidated = context =>
                        {
                            //This query returns the UserID from the DB by sending the email address in the claim from Azure AD
                            string query = "select dbo.A2F_0013_ReturnUserIDForEmail(@Email) as UserID";
                            string connectionString = builder.Configuration.GetValue<string>("ConnectionStrings:DBContext");
                            string signInEmailAddress = context.Principal.FindFirstValue("preferred_username");

                            using (var connection = new SqlConnection(connectionString))
                            {
                                var queryResult = connection.QueryFirst(query, new { Email = signInEmailAddress });

                                var claims = new List<Claim>
                                {
                                    new Claim("UserID", queryResult.UserID.ToString())
                                };

                                var appIdentity = new ClaimsIdentity(claims);

                                context.Principal.AddIdentity(appIdentity);
                            }

                            return Task.CompletedTask;
                        },
                    };

                }, CookieOptions =>
                {
                    CookieOptions.SlidingExpiration = true;
                    CookieOptions.LoginPath = "/Login/";
                    CookieOptions.LogoutPath = "/Logout/";
                    CookieOptions.ExpireTimeSpan = TimeSpan.FromMinutes(15);
                })
                    .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
                        .AddMicrosoftGraph(builder.Configuration.GetSection("DownstreamApi"))
                        .AddInMemoryTokenCaches();

I was hoping once that cookie expires it would force them to the login path indicated in the cookie options on the next page refresh or API call to the controller but it does nothing.

Answer 1

I trust you already noticed that, when you integrate Azure AD into your app, you can sign in by redirect to microsoft identity page, and when you want to sign out, you also need to redirect to microsoft identity page to choose an account to sign out. And this is why you can't set the user login expire time by only changing the cookie lifetime.

You signed in identity platform and Azure AD will give your app an id token, then the cookie authentication in your local app will generate cookie value and stored it in the browser. When you delete the cookie or it has been expired, it should redirect back to microsoft identity page, but actually the user already signed in with the microsoft account and the sign in information hasn't been expired that time so that it wouldn't require to enter username/password but return with the id token directly. Finally a new cookie was generated and authentication done.

According to your requirement, I'm afraid you can going to this document to find a good policy for you to set up in your Azure AD, you need to use the Conditional Access Administrator, Security Administrator, or Global Administrator account to sign in Azure portal to set the policy. Going to Azure Active Directory > Security > Conditional Access for adding the policy. But it require Premium pricing tier.