We have an application which is build using ASP.NET WEB Forms (.NET Framework 4.6.2). Previously, we were using Windows authentication to authenticate user. Now, we want to change it to Azure AD authentication with MFA with OWIN (Open Id Connect) framework. I was able to do a POC till Azure AD authentication and MFA. However, we have another requirement that, Application should ask user for username and password to re-authenticate after 15 min in active time. I am unable to do this. Even, I am not sure whether it is possible with OpenId connect and Azure because I am new to Azure and SSO. Can someone please help me how I can achieve this? This is really important to us.
I have set Cookie expire time as well but, when cookie is expired it is internally re-authenticating user without asking username and password.
I have attached my Startup class.
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.Owin;
using Microsoft.Owin.Extensions;
using Microsoft.Owin.Host.SystemWeb;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.Notifications;
using Microsoft.Owin.Security.OpenIdConnect;
using Owin;
using System;
using System.Configuration;
using System.IO;
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
namespace AzureADWebForms
{
public partial class Startup
{
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private static string aadInstance = EnsureTrailingSlash(ConfigurationManager.AppSettings["ida:AADInstance"]);
//private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
private static string tenantId = ConfigurationManager.AppSettings["ida:TenantId"];
private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutUri"];
private static string redirectUri = ConfigurationManager.AppSettings["ida:redirectUri"];
//private string authority = aadInstance + tenantId;
private string authority = string.Empty;
public Startup()
{
authority = Path.Combine(aadInstance, tenantId);
//authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, aadInstance, tenant);
}
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
ExpireTimeSpan = TimeSpan.FromMinutes(2),
//SlidingExpiration = true,
Provider = new CookieAuthenticationProvider
{
OnResponseSignIn = OnCustomResponseSignIn,
OnValidateIdentity = OnMyCustomValidateIdentity
}
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
RedirectUri = redirectUri,
PostLogoutRedirectUri = postLogoutRedirectUri,
Scope = OpenIdConnectScope.OpenIdProfile,
//ResponseType = OpenIdConnectResponseType.IdToken,
ResponseType = OpenIdConnectResponseType.CodeIdToken,
UseTokenLifetime = false,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthenticationFailed = OnAuthenticationFailed,
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
SecurityTokenValidated = OnSecurityTokenValidated
}
});
// This makes any middleware defined above this line run before the Authorization rule is applied in web.config
app.UseStageMarker(PipelineStage.Authenticate);
}
private void OnCustomResponseSignIn(CookieResponseSignInContext context)
{
//context.Properties.AllowRefresh = true;
//context.Properties.ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(2);
var ticks = context.Options.SystemClock.UtcNow.AddHours(10).UtcTicks;
context.Properties.Dictionary.Add("absolute", ticks.ToString());
}
private Task OnMyCustomValidateIdentity(CookieValidateIdentityContext context)
{
bool reject = true;
string value;
if (context.Properties.Dictionary.TryGetValue("absolute", out value))
{
long ticks;
if (Int64.TryParse(value, out ticks))
{
reject = context.Options.SystemClock.UtcNow.UtcTicks > ticks;
}
}
if (reject)
{
context.RejectIdentity();
// optionally clear cookie
//ctx.OwinContext.Authentication.SignOut(ctx.Options.AuthenticationType);
}
return Task.FromResult(0);
}
private Task OnRedirectToIdentityProvider(RedirectToIdentityProviderNotification