question

ADAZUSER avatar image
0 Votes"
ADAZUSER asked azure-cxp-api edited

My ASP.NET MVC web application logs out its users after close to 60 mins. Is there any way to extend the token expiry?

I can see that IsAuthenticated is set to false when the timeout period (60 minutes) is reached. I am using the Azure AD for authentication with OpenIDConnect. Any approaches on how I can extend this?

azure-active-directoryazure-ad-tenant
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, are there any updates with this case? If not, please select the appropriate response as "Answered." Otherwise please let us know how we can assist you.

0 Votes 0 ·
soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ADAZUSER commented

@ADAZUSER, thank you for reaching out. By default, an access-token's validity is for 1 hr and after one hour you would need another access-token to continue with the session.

Now to provide users a seamless SSO experience, AAD issues something called a refresh token, which is used to get another access-token from AAD. If you use any Microsoft Libraries like MSAL, it would handle the issuance of the refresh token and also using that Refresh token to get another access-token my the library itself.

To make sure you get the Refresh-Token from AAD, you would need to use either Auth-Code Grant flow of OAuth2.0 or OpenIDConnect. You can also take a look following article which would help you with using the refresh token: https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ADAUSER, Just wanted to check if the above response helped you or if there are any more queries around this so that we can help you better. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

0 Votes 0 ·

@ADAUSER, Just wanted to check if the above response helped you or if there are any more queries around this so that we can help you better. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

0 Votes 0 ·

@soumi-MSFT Thank you, yes I understand.

I found another approach where I can bypass the logout having TokenLifetime property set to false, it does the trick but now the only concern is if i close the browser and then re-open the browser and access my link, Azure AD doesn't re-authenticate instead it directly gets me logged in to the application. Its not just for an hour but also if i try to do this after 8 hours am still not asked for my credentials. It does go to login.microsoftonline.com/......... but directly takes me to the application from there without any prompt.

How can i stop this and force to re-authenticate after a given time frame?

Also,I saw about conditional policies which I can use to extend the same using PowerShell but then realized its deprecated. There are features that can be done using Azure Portal, but I dont have a license as of now and may have to take a free trial plan, before I proceed just wanted to know if this will resolve the issue.

0 Votes 0 ·
Show more comments
soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ADAZUSER edited

@ADAZUSER, Which library are you using for your ASP .NET MVC app, ADAL.net or MSAL.net?

Also, you can try checking the following samples listed here: https://docs.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code

The samples for ASP .net framework and ASP .net core does implement OpenIDConnect for Authentication hence the signin and signout functions are listed there, which you can refer.

Also, the signout function should help you as I myself have created an application and I use the following as the signout code:

AccountController.cs:

 public ActionResult SignOut()
         {
             if (Request.IsAuthenticated)
             {
                 var tokenStore = new SessionTokenStore(null,
                     System.Web.HttpContext.Current, ClaimsPrincipal.Current);
    
                 tokenStore.Clear();
    
                 Request.GetOwinContext().Authentication.SignOut(
                     CookieAuthenticationDefaults.AuthenticationType);
             }
    
             return RedirectToAction("Index", "Home");
         }

SessionTokenStore.cs

 public void Clear()
         {
             sessionLock.EnterWriteLock();
    
             try
             {
                 httpContext.Session.Remove(tokenCacheKey);
             }
             finally
             {
                 sessionLock.ExitWriteLock();
             }
         }

This piece of work works flawlessly and this uses the MSAL.net library.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@soumi-MSFT I am working on top of the application that I got from portal.azure.com. Refer the link below and please guide on what can be done as this is the closer to what am working on.

https://github.com/AzureADQuickStarts/AppModelv2-WebApp-OpenIDConnect-DotNet

0 Votes 0 ·

@ADAZUSER, That sample implements a cookie-based logout process, where the one I shared above is the session-based logout process, which is more reliable. Try the sample and the snippet shared above, it works well.

0 Votes 0 ·

@soumi-MSFT
Yes its cookie based.
My requirement is if the user logs in to my application, I want him to be connected for both my system (which is already handled) and also at azure end for 4 hours. If the user tries to re-login after closing the browser and if its within the 4 hour range then its okay if Azure doesn't prompt him for the credentials, but if he tries to login after 4 hours, I want azure to force him to enter his credentials to go further,(This is not currently happening and Azure just ask to choose the account and then taken to the application page.) I want to set the lifetime for token that the azure sends, that way I can achieve what I wish for.
This is something that is only happening for those users who work for the organization who created that tenant and not the other users having a different domain email address.

0 Votes 0 ·