Our application was required to adopt new ciam solution being provided by another party. They are using auth0 and are only providing authentication no authorization management. Our current application uses ASP.NET Core identity for our managing all the various roles and permissions. It was decided we would simple let the users authentication with auth0 and when they returned with their id_token we would map them back to the appropriate user in our system and sign them into identity.
Super basic outline
- Customer visits the site and clicks Sign In
- Customer is redirected to the sign in method of our api which issues the challenge to auth0 and redirects the user.
- User provides credentials and is redirected back to api with id_token.
- Token is validated and user is signed in and redirected back to application with auth cookie (from identity, not auth0).
Example:
public static WebApplicationBuilder ConfigureAuth(this WebApplicationBuilder builder)
{
//…
builder.Services.AddAuthentication().AddOpenIdConnect(Constants.Auth0.AuthenticationScheme, options =>
{
options.Authority = auth0Authority;
options.ClientId = auth0ClientId;
options.ResponseType = OpenIdConnectResponseType.IdToken;
options.Events = new OpenIdConnectEvents
{
//…
OnTokenValidated = async context =>
{
//…
await SignInManager.SignInWithClaimsAsync(user);
}
};
});
}
So you can see once the token is validated we do some mapping and then sign in with identity and let them through.
All of this seems to be working fine and we so far haven’t had any real issues. But we’ve noticed there can sometimes be some weirdness around the auth0 session and our own session. Specifically when we terminate our session but then they attempt to sign in again and are immediately authenticated without needing to provide credentials again.
Basically, as soon as we’ve signed them into our system we don’t need the auth0 session anymore and need a way to silently end it. We played around with calling ttps://{yourDomain}/oidc/logout?logout_hint={yourIdToken} but it only seems to work if it’s actually opened in a browser window, just calling it quietly doesn’t actually do anything (though amusingly if you inspect the response the page will always say “You have successfully logged out“ regardless of where or what you call it with).
What would be some approaches we can take from our end to silently terminate the auth0 session as soon as we’ve authenticated them in our system?