Pfthb

Hi Following from my previous question I need to rediect the user to the login page if the access and refresh token is expired. The problem is that I don't know how to get the address of the login page without hard coding it.

 public async Task<ActionResult> Shouts()
 
 var authServerInfo = await this.GetAuthenticationServerInfo();
 var accessToken = await HttpContext.GetTokenAsync("access_token");

 var tokenClient = new TokenClient(authServerInfo.TokenEndpoint, "AuthTest_Code", "secret");
 using (var client = new HttpClient())
 
 client.SetBearerToken(accessToken);
 var content = await client.GetStringAsync("http://localhost:5002/api/Values/Get");
 var data = JsonConvert.DeserializeObject<List<String>>(content);
 return View("Shouts", data);
 
 

You could add it as a setting in your appsettings.json file.

I have several ADFS settings stored in this file. An example of how it could look like is this:

 "PublicUrl": "BASE_URL_HERE",
 "ConnectionStrings": 
 //Connection strings here
 ,
 "ApplicationInsights": 
 "InstrumentationKey": "APPINSIGHTS_INSTRUMENTATIONKEY_HERE"
 ,
 "Logging": 
 "IncludeScopes": false,
 "LogLevel": 
 "Default": "Error",
 "Microsoft": "Warning",
 "Roxit": "Warning"
 
 ,
 "Authentication": 
 "AdfsBaseUrl": "ADFS_BASEURL_HERE",
 "AdfsLogout": "ADFS_LOGOUT_URL_HERE",
 "AdfsLogin": "ADFS_LOGIN_URL_HERE",
 

As you can see I have a logout and login url. How to retrieve these configuration settings in your code you can read here: How to read AppSettings values from Config.json in ASP.NET Core

In ASP.Net you'd typically let the cookie authentication middleware handle this - i.e. if you do a HttpContext.SignOut("...my cookie scheme...") or the cookie expires then the next request to a secured action will automatically redirect to the login URL associated with that scheme.

It's also worth noting that the intention of OpenID Connect is that you'd align the session/auth cookie lifetime of your client web application to that of the IDP session and NOT to the lifetime of an access_token which would typically be much shorter (and renewed silently using a refresh token in a server-side application like this).

Check out the session management optional spec here:

https://openid.net/specs/openid-connect-session-1_0.html

You are of course free to define your own rules for how often an end user of your client must authenticate. You can use the max_age or prompt=login authorize endpoint arguments to force interactive authentication and then check the auth_time claim in the client app to verify that the user was indeed recently authenticated.

To pass additional parameters using the normal .Net Core 1.1 middleware it might looks like the following (2.x may be slightly different):

//Initialising OpenIdConnectEvents...
OnRedirectToIdentityProvider = context => 
 //context.Properties is of type AuthenticationProperties which can be passed via the Challenge() method.
 if(context.Properties.Items.ContainsKey("prompt"))
 context.ProtocolMessage.Prompt = context.Properties.Items["prompt"];