OWIN Authentication and “online users”
Question
I have a project that uses a centralized ASP.NET MVC website which is implementing the OWIN ASP.NET Identity architecture. Our centralized website has been used to:
- grant token with username/password
- grant refresh token
- add/remove and modify users/roles and claims
- grant token via OAuthentication and Social Login (Twitter, Facebook ...)
So far so good but now I got a new request. The tier should be able to "track online users" which is impossible, in my opinion, because the ASP.NET Identity OAuth is granting tokens and refresh tokens but it doesn't have any concept of "session" and "online authenticated users".
Any idea or suggestion on how I can implement this functionality?
1 answers
solution1
0 2016-10-24 13:23:09
It depends a bit on your exact definition for tracking online users , but assuming a relaxed definition of it you can accomplish this by introducing exactly what you said you don't have yet; sessions.
In authentication terms, your ASP.NET MVC application is acting as identity provider/authorization server (IP/AS), but that doesn't mean it can't or shouldn't have the notion of a session. Generally sessions are common practice in IP/AS because this way they can provide single sign-on for applications that rely on them.
For example, both Google and Facebook act as IP/AS for other applications and they both maintain sessions. You could argue that in the two cases they do much more than merely acting as IP/AS so sessions are a must have.
However, providers that focus only on authentication and authorization services also rely on sessions. For example, Auth0 uses sessions as a way to provide the single sign-on experience I mentioned previously.
By introducing sessions you should be able to maintain a list of online/authenticated users from the perspective of the IP/AS . The big question is if that is indeed what your business users want when they say track online users .
Disclosure : I'm an Auth0 engineer.
Update :
Regarding the actual implementation of a session, it depends on the requirements, but the traditional approach of client-side cookie and server-side durable storage should do the trick. It does not need to be integrated with ASP.NET Identity, you just need to track that a given user identity (through its user unique identifier) has an active session; done when they authenticate.
Then there's the problem of deciding when does that session end, that's the part that will mostly depend on exact requirements. It can be as simple as the user also goes to the IP/AS to logout or more tricky if you want to trigger single sign-out from within another application.
In relation to the tokens you can also consider revoking refresh tokens upon session ending (logout). In summary, there's a lot of moving parts and things to implement.
If you haven't done it already you should also check:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.