Can I expire the session using your example? about aspnetcore.identity.mongodbcore HOT 12 CLOSED

Hi, this package uses Microsoft.AspNetCore.Identity version 2.1.6 that does not have the latest changes regarding IdentityServer.
To Signout you should be able to use the SigninManager.SignOutAsync() method.

You can look at the usage of the package in the MVC sample here:
https://github.com/alexandre-spieser/AspNetCore.Identity.MongoDbCore/tree/master/sample/MongoIdentitySample.Mvc/Controllers

        //
        // POST: /Account/LogOff
        [HttpPost]
        [ValidateAntiForgeryToken]
        public async Task<IActionResult> LogOff()
        {
            await _signInManager.SignOutAsync();
            _logger.LogInformation(4, "User logged out.");
            return RedirectToAction(nameof(HomeController.Index), "Home");
        }

from aspnetcore.identity.mongodbcore.

Thanks for getting back to me. Have to tried to open multiple tabs in your browser and sign out from one of them? Do the other tabs log off as well? I say that because that's the issue I'm facing right now.
My log out looks like this:

/// <summary>
/// Show logout page
/// </summary>
[HttpGet]
public async Task<IActionResult> Logout(string logoutId)
{
      var logoutContext = await _interaction.GetLogoutContextAsync(logoutId);

      await _signInManager.SignOutAsync();

      return Redirect(logoutContext.PostLogoutRedirectUri);
}

from aspnetcore.identity.mongodbcore.

The action in the MVC sample is a post, yours is a get. Not sure about what the _interaction dependency does.
Feel free to start the sample MVC app and check if this works.
Once again, this package does not use identity server.
The token provider used by Identity in this package is not IdentityServer.
The SignInManager.SignOutAsync() method does:

        /// <summary>
        /// Signs the current user out of the application.
        /// </summary>
        public virtual async Task SignOutAsync()
        {
            await Context.SignOutAsync(IdentityConstants.ApplicationScheme);
            await Context.SignOutAsync(IdentityConstants.ExternalScheme);
            await Context.SignOutAsync(IdentityConstants.TwoFactorUserIdScheme);
        }

Source:
https://github.com/aspnet/Identity/blob/fcc02103aa10dcdd8759e0463cac2717114f3c1e/src/Identity/SignInManager.cs

from aspnetcore.identity.mongodbcore.

@CarlosTorrecillas You cannot have different sessions in different browser tabs/instances. Authentication works based on Cookies and they provide the same info browser-wide.

This mean if you log-in all browser tabs are logged in and the same if you log out. So logoutId won't help.

One solution might be JWT based authentication and not even storing the token in cookies or localStorage. You can save the token in window.token for instance.

from aspnetcore.identity.mongodbcore.

Ok - I understand that. What I would have imagined then is that, if I log out in one of the tabs, then the other one would also be “logged-out” if that makes sense, but it’s not the case. For some reason the user is still able to run authenticated actions. Does that make sense?

I’m using the oidc-client on an Angular app with pretty much the standard configuration.

If you check out the stack overflow link I pasted I think I have JWT configuration right?

from aspnetcore.identity.mongodbcore.

As long as i know oidc-client works in two modes: localStorage and sessionStorage. It depends on your configuration. If you are on localStorage then logging out in a tab logs out everywhere else. But if you are on sessionStorage mode, only one tab logs out (you don't even need to log out, closing browser tab is enough).

More on localStorage and sessionStorage:
https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage

oidc-client's behavior is set to sessionStorage by default:
https://github.com/IdentityModel/oidc-client-js/blob/8848a6c58bbc41342e11888df2eb44ad117da94a/src/UserManagerSettings.js#L35

from aspnetcore.identity.mongodbcore.

If it's token based authentication stored in a cookie, you're better off writing middleware that expires your session simply by taking the specific cookie and making it expire.

In https://github.com/IdentityServer/IdentityServer4.Quickstart.UI/blob/master/Quickstart/Account/AccountController.cs
the method:

        [HttpPost]
        [ValidateAntiForgeryToken]
        public async Task<IActionResult> Logout(LogoutInputModel model)

Clears the cookie like so:

            if (User?.Identity.IsAuthenticated == true)
            {
                // delete local authentication cookie
                await HttpContext.SignOutAsync();

                // raise the logout event
                await _events.RaiseAsync(new UserLogoutSuccessEvent(User.GetSubjectId(), User.GetDisplayName()));
            }

HttpContext.SignOutAsync(); is probably and extension from the IdentityServer package.

You cannot rely on the Identity package to clear cookies it has not created.

from aspnetcore.identity.mongodbcore.

In addition to my previous comment, in sessionStorage you will need to log-in for each tab separately.

from aspnetcore.identity.mongodbcore.

If you're set on using IdentityServer and it's not supported by MS Identity then you must handle the token management yourself.
I am using OpenIdConnectServer as a token provider in my personal projects, and I just use AspNetCore.Identity.MongoDbCore to do the user management, not the session management.

from aspnetcore.identity.mongodbcore.

Right, you may not mix a client-side library with server-side auth.

I believe the best solution is to use oidc-client with a web-api project with a token based auth.

Alternately, you can get rid of oidc-client and use Startup.Configure function to disable cookie auth and use a sesstionStorage thing. It might need to write a middleware.

from aspnetcore.identity.mongodbcore.

Hi @alexandre-spieser @xclud , I managed to expire all active sessions on different tabs eventually. When you sign out there is an event fired and the OIDC client picks it up. You can then add a handler to it to sign out automatically and that would do it:

this.manager.events.addUserSignedOut(() => {
            this.signOut();
        });

Simply like that! I have faced anti forgery token issues later on when trying to log in multiple times from different tabs but I think I got that resolved too.

Many thanks for the help!!!

from aspnetcore.identity.mongodbcore.

Glad you could make it work.
I'm a closing this issue 👍

from aspnetcore.identity.mongodbcore.