Azure AD & OpenID Connect Timeouts (Episerver CMS 11.4.0)

Vote:
 

Hi guys, we have implemented https://world.episerver.com/documentation/developer-guides/CMS/security/integrate-azure-ad-using-openid-connect/ to enable single sign on for both the CMS and Commerce however there seems like a finite amount of time the session seems to work and since doing this as users are activly using the site at some point their AAD session stops and the Episerver UI just stops resoponding.

I've said to the client that I thought that this was something they control in the Azure AD portal but does anyone have more information on this? I don't have access to any Azure AD to test this myself and I've never configured this in the portal. Alternativly is there a way to control this like with the Cookies Authentication options you normally use with .NET Identity?

#189435
Mar 19, 2018 14:19
Vote:
 

I've seen some people talking about setting UseTokenLifetime to false but not 100% sure about the implications of this

#189436
Mar 19, 2018 14:25
Vote:
 

If you are using the documentation config you are using response_type=id_token. The cookie set by the Owin layer will then get the same expiry as the id_token received.

Looks like the default id_token lifetime is 1 hour for Azure AD work accounts. If you aren't using the token(s) sent in the signin request for any communication purpose after validation and authentication ticket is created you can set UseTokenLifetime to false and put your own expiration time to whatever works. I think it should be possible to increase the lifetime in the Azure AD as well.

If you want to keep your implicit flow the other option is to do a silent renew (redirect to IDP with prompt=none) in an iframe before expiry has occured. This will set a new cookie with an updated expiry just as a regular signin does. I think this works with Azure AD but I guess it's near impossible to get this into Commerce Manager.

The optimal way is to change from implicit flow to hybrid and use "code id_token" as response_type. You can then request offline_access scope and get a refresh_token when calling the token endpoint with the authorization code received. Having that you can prolong the session forever and getting valid tokens every time you renew without sending the user on a iframe redirect journey. Unfortunately this is not supported out of the box in the Owin OpenIdConnect package so it's a bit tricky to achieve. My way has been to ignore setting a new authentication ticket cookie and instead hold the tokens in a backend storage. Then do a signout the next time I see that token expiry has occured after user has been idle for too long.

#189581
Mar 20, 2018 23:12
Vote:
 

Thanks for the response Johan, mostly when trying to find information on this with Azure AD I just found a lot of open tickets on Microsoft asking for changes. At the moment I've changed it to UseTokenLifetime but I've not set an explicit expiry period. Do you know how you set that as it's different to the 

SlidingExpiration = true,
ExpireTimeSpan = TimeSpan.FromMinutes(30)

That I've got set for the AspNet Identity whenn using CookieAuthenticationOptions that we usually use? I'll bear in mind the other options, it's nice to have some advice around this, sadly I don't have lot of time to fix this issue so hopefully the UseTokenLifetime will at least resolve my issues.

Thanks again

#189597
Mar 21, 2018 9:41
Vote:
 

Inside SecurityTokenValidated = (ctx) => { ... } you should be able to do:

ctx.AuthenticationTicket.Properties.ExpiresUtc = DateTime.UtcNow.AddHours(12);

Maybe also...

ctx.AuthenticationTicket.Properties.IsPersistent = true;

#189619
Mar 21, 2018 13:49
Vote:
 

Wicked thanks for you're help  Johan :-)

#189620
Mar 21, 2018 13:50
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.