Hi Team,
I have a Sample MVC application downloaded from Auth0. The configuration is the default configuration there with the sample application.
Included the below middleware
app.UseAuthentication();
app.UseAuthorization();
Performing the following steps:
- Ran and logged in to the application successfully.
- Later I went to my Auth0 account and changed the Id token expiration time to 10 sec in my application configuration.
- Now I ran my sample application again, logged in and wait for 15 second.
- After 15 second I browsed to an [Authorize] end point.
- Expected: Application should show some token expiration message and should not allow to browse to [Authorize] end point.
Actual: Application is not showing any token expiration message and allow to browse to [Authorize] end point.
Please provide suggestion on how to validate an Id token in MVC application, so that application should not allow to browse to [Authorize] end point.
Hi @pradeepta.meher ,
I noticed that you opened a Support ticket for the same issue. Once our DSE solves it, I will share the details on this topic to make it beneficial to other folks in our Community as well!
Thanks!
We use the default cookie middleware, and the OIDC package from aspnetcore. Our SDK doesnt handle any of that.The Microsoft.AspNetCore.Authentication.Cookies package allows u to specify a SessionStore (which implements ITicketStore) that can be used to store things server side in a session. If not, everything goes in the cookie."
We register the cookie middleware and use default config, but u can still configure the cookie middleware the way you like. If you would like to configure the Microsoft.AspNetCore.Authentication.Cookie middleware to use a session, you can configure it as such:
public void ConfigureServices(IServiceCollection services)
{
services
.AddAuth0WebAppAuthentication(PlaygroundConstants.AuthenticationScheme, options =>
{
options.Domain = Configuration["Auth0:Domain"];
options.ClientId = Configuration["Auth0:ClientId"];
options.ClientSecret = Configuration["Auth0:ClientSecret"];
});
// Configure a custom ITicketStore to store the Identity Information on the server
services.AddTransient<ITicketStore, CustomInMemoryTicketStore>();
// Configure the Cookie Middleware to use the CustomInMemoryTicketStore
services.AddSingleton<IPostConfigureOptions<CookieAuthenticationOptions>, ConfigureCookieAuthenticationOptions>();
}
and
public class ConfigureCookieAuthenticationOptions
: IPostConfigureOptions<CookieAuthenticationOptions>
{
private readonly ITicketStore _ticketStore;
public ConfigureCookieAuthenticationOptions(ITicketStore ticketStore)
{
_ticketStore = ticketStore;
}
public void PostConfigure(string name,
CookieAuthenticationOptions options)
{
options.SessionStore = _ticketStore;
}
}
Every request will then call the below TicketStore’s “RetrieveAsync” method:
public class CustomInMemoryTicketStore : ITicketStore
{
private readonly IMemoryCache _cache;
public CustomInMemoryTicketStore(IMemoryCache cache)
{
_cache = cache;
}
public Task RemoveAsync(string key)
{
_cache.Remove(key);
return Task.CompletedTask;
}
public Task<AuthenticationTicket> RetrieveAsync(string key)
{
var ticket = _cache.Get<AuthenticationTicket>(key);
return Task.FromResult(ticket);
}
public Task RenewAsync(string key, AuthenticationTicket ticket)
{
_cache.Set(key, ticket);
return Task.CompletedTask;
}
public Task<string> StoreAsync(AuthenticationTicket ticket)
{
var key = ticket.Principal.Claims
.First(c => c.Type == "sid").Value;
_cache.Set(key, ticket);
return Task.FromResult(key);
}
}
The above TicketStore simply stores in memory, but shows how you can add in a session layer by configuring the Microsoft.AspNetCore.Aurthentication.Cookies middleware.