We are trying to do silent SSO in my application. We use adal-angular.js library for user sign in. The scenario is, If user sign in office 365 account, and open my application, user doesn't have to login in our application. but if user sign in office 365 and our application token expire after 1 hour user logout unexpectedly. Don't know how to handle this. We require that user should depend on office 365 or Microsoft account login/logout.
If user have an active session with Azure AD, ADAL JS does get renew token after token expire automatically (unexpected logout will not happen). ADAL JS examines the projected expiration of the existing token (in the cache) and if the token is about to expire, it uses an invisible iFrame to send a new token (renewal) request to Azure AD.
This is discussed in detail here (with sample code) by Vittorio and the mechanics of silent renewal is discussed here.
Related
I have integrated header based application with Azure AD application proxy.
Which preauthenticate user with Azure AD credential and created cookie based session.
How to implement logout so that when clicking logout link on application it totally clears the session.
For OAuth/OIDC, provided the guidance:
"When you want to sign out the user from your app, it isn't sufficient to clear your app's cookies or otherwise end the user's session. You must also redirect the user to the Microsoft identity platform to sign out."
"When you redirect the user to the end_session_endpoint, the Microsoft identity platform clears the user's session from the browser.
However, the user may still be signed in to other applications that use Microsoft accounts for authentication."
Implement logout in Azure AD application proxy:
Reference:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-a-sign-out-request
I am currently using passport-azure-ad and #azure/msal-node nodejs library to authenticate users for my APIs. When the user successfully authenticates via his/her microsoft account we receive an access_token, the user can call our APIs with that access_token.
Now if we disable the user's account from the Azure admin panel, the user's already existing access_token should be invalidated and he/she should not be able to call our APIs with that access_token.
How can we do this please?
Basically, you can't.
I believe that the spec. doesn't allow access tokens to be revoked.
You can, however, revoke refresh tokens.
When the access token expires, the refresh token won't be honoured and the user will be logged out.
Going forward, continuous access evaluation will be of use but it hasn't been implemented in many apps. to date.
Is there an azure aad api that can be invoked to kill all refresh_tokens for a particular app?
So that after an hour, new tokens will not be issued and devices under the app-id will signout automatically.
Pls note the signout should delete refresh tokens for a particular appid, not all the tokens from the user.
No. There is no such an official API.
The only call which is exposed by Microsoft is revoke all refresh tokens issued to all applications for a user.
See Revoke-AzureADUserAllRefreshToken.
AAD Graph API: POST https://graph.windows.net/{tenant id}/me/invalidateAllRefreshTokens?api-version=1.6 HTTP/1.1
You can post your idea on Azure AD User Voice.
I'm using the adal-angular5 v1.0.36 client library to authenticate my web application to Azure Active Directory.
The thing is that my session lasts 1 hour (the default expiration time) and I'd like to "renew" it silently for the user once it has expired; i.e. without having to ask the user for the credentials again or logging out and then login again (which would cause work loss for the user).
Is this possible to achieve?
As long as the user have an active session with Azure AD, ADAL JS does it automatically for you. ADAL JS examines the projected expiration of the existing token (in the cache) and if the token is about to expire, it uses an invisible iFrame to send a new token (renewal) request to Azure AD.
Please choose MSAL over ADAL and here is the sample for angular using MSAL.
Please refer the link for migration of ADAL to MSAL
I have an application that authenticates from ADFS 2016 using openidConnect.
Once I get token form ADFS I create local cookie session in my application.
Problem
When permission for user changes on ADFS server or user is disabled, how my application can trigger logout for user. ADFS provides any endpoint or api to check that?
Access token you get from AD FS has a certain lifetime (configurable on AD FS side). The default value is one hour. You can read more about AD FS token lifetime here.
With AD FS you do not have any "built into the protocol" way to logout the user from your application exactly at the time when you disable it in AD, but you can set expiration time for the cookies in your application, so when the cookies expire, the application will go and try to get a new access token or refresh an existing token depending on your needs and arhitecture.
Option #1: Get new access token
If the user was disabled he will not be able to get a new access token and will not be able to login into your application. If the the user was still active by the time when a local cookie in your application expired, the AD FS login process will be seamless for him. I.e. he will not even see the AD FS login page and will be redirected back to your application with a new access token right away.
Option #2: Refresh existing access token
This option is only available when you persist AD FS access tokens in your application. You can use a certain endpoint at AD FS server to try to refresh that access token. If a used was disable he will not be able to refresh the token and you can perform a logout. You can read more about how to refresh the access token and some other scenarios with AD FS here.