Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Add cookie authentication validator for primary authentication type #418

Closed
cortex93 opened this issue Oct 5, 2014 · 5 comments
Closed

Comments

@cortex93
Copy link

cortex93 commented Oct 5, 2014

Hi,

Would it be possible to add SecurityStampValidator support to ids. This would allow to invalidate persistent cookie.
From Microsoft Identity samples:

 app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                Provider = new CookieAuthenticationProvider
                {
                    // Enables the application to validate the security stamp when the user logs in.
                    // This is a security feature which is used when you change a password or add an external login to your account.  
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(30),
                        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
                }
            });
@leastprivilege
Copy link
Member

Could you explain more why you want that?

@brockallen
Copy link
Member

I suspect they want the authentication cookie to be invalidated if the user has changed their password. I think we can achieve that by calling IsActive on the user service passing the identity from the authentication cookie.

@cortex93
Copy link
Author

cortex93 commented Oct 6, 2014

Yes, a custom IUserService would return an AuthenticationResult with an identity with a secret value claim. Then, the cookie authent middleware would call to check if the secret value is still the known one. If not, the cookie is invalidated.
Calling IsActive each time the cookie authentication happens would be fine, I guess. Despite the name would not reveal clear intent.

@brockallen
Copy link
Member

For now, we're making this post-RTM.

@brockallen brockallen added this to the Post RTM milestone Oct 13, 2014
@brockallen
Copy link
Member

This can now be done via IsActive on the user service, as it's invoked from the authorize endpoint. I have a TODO to show in a sample: #482.

@leastprivilege leastprivilege removed this from the Post RTM milestone Nov 12, 2014
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants