c# - Authentication in an ASP.NET web application using Azure AD -


i'm looking @ using azure ad handle user accounts web app.

i've implemented similar microsoft's sample code shown here (linked here).

it uses following authentication scenario (this):

azure ad authentication scenario web browser web application

as far understand it, once the user authenticated, owin creates , sets own session cookie specific domain. long cookie hasn't expired or become corrupted, user stay logged in. our app ever talks authentication provider when user logs out or logs in again.

so raises question: happens when user deactivated, or deleted, ad while still logged in?

let's have sensitive information stored in web app's database modifiable authorized users. permissions authorization kept in local database keyed user's oid.

bob administrator our company's web app. reasons undisclosed, have had terminate employment. our domain administrator locks ad account out , bob escorted out of premises. should fine.

everything not fine.

disgruntled bob arrives home , looks @ laptop, browser open on our web app. thinks, "surely must have been locked out?". browses administration part of site , sees still able access it. in petty way own @ company, goes in , modifies of sensitive information.

bob still authenticated (bob's credentials still identify bob), should no longer authorized access service. however, session cookie still valid. bob still logged in , can still has access web app until cookie expires, or until ends session.

how can stop happening? (besides not sleeping bob's wife.)

a few "solutions" have thought of:

  1. call azure's graph api every [authorize] action, returns whether user valid , not locked out. then make user end own session.

  2. call user metadata table on application every [authorize] action checks if user disabled or not. (not ideal: disparity between ad , local db)

  3. use bearerauthentication how. (help appreciated, examples can find web-api)

  4. do nothing , deal unlikely situation (not ideal)

as long cookie hasn't expired or become corrupted, user stay logged in.

not true.

both oauth2 , ws-fed tokens contain token expiration date among other attributes.

thus, in reality, bob able use application until expiration date in token passes. token providers issue tokens valid few hours @ most.


-

Comments

Post a Comment

Popular posts from this blog

many to many - Django Rest Framework ManyToMany filter multiple values -

i have 2 models, 1 defining users, other defining labels on these users. using django rest framework create api. able query users @ least labels ids 1 , 2. for instance users' labels are: [(1,2), (1,2,3), (2,3), (1,3)] want query return [(1,2), (1,2,3)] . so far, i've managed query users given label (let's id=1) doing: /api/users/?labels=1 , unable query users labels 1 , 2. i've tried /api/users/?labels=1,2 or /api/users/?labels=1&labels=2 return invalid users, i.e. users without labels 1 or 2... any welcome. thanks, dimitry github test repo: https://github.com/thedimlebowski/drf-m2m-filter code: models.py class label(models.model): name = models.charfield(max_length = 60) class user(models.model): labels = models.manytomanyfield(label) filters.py class userfilter(django_filters.filterset): labels = django_filters.filters.baseinfilter( name='labels', lookup_type='in', ) class meta:...
Read more

java - Jasper subreport showing only one entry from the JSON data source when embedded in the Title band -

Image
i having issues populating data in subreport in title band of main report. data populated correctly in subreport in detail band of main report. trying find wrong in json query. appreciated. json sample data source (expenses.json) { "expenses": { "date": "8 sep 2016", "accounts": [ { "title": "xyz corp (111)", "accountname": "xyz corp", "accountnumber": "111", "transactions": [ { "date": "21 jun 2016", "name": "gas", "price": "17.50" }, { "date": "12 may 2016", "name": "shopping", "price": "111.99" }, { "date": "30 apr 2016", "name...
Read more

Java Entity Manager - JSON reader was expecting a value but found 'db' -

i have code working: entitymanager entitymanager = getentitymanager(); entitymanager.gettransaction().begin(); string query = "db.band.find({})"; list<band> list = (list<band>) entitymanager.createnativequery(query, band.class).getresultlist(); entitymanager.close(); return list; it returns list no problem. want sort list date : entitymanager entitymanager = getentitymanager(); entitymanager.gettransaction().begin(); string query = "db.band.find({something__id:objectid(\"" + myid + "\")}).sort({\"somethingelse.date\":-1})"; list<band> list = (list<band>) entitymanager.createnativequery(query, band.class).getresultlist(); entitymanager.close(); return list; my console gives me message: org.bson.json.jsonparseexception: json reader expecting value found 'db' i checked string working in mongo console , did. ideas? edit: tried putting "something__id" between quotes because would...
Read more