Azure AD Authentication with OWIN for ASP.NET WEB Forms Applicaiton - How to logout user after configurable inactive time

Question

Azure AD Authentication with OWIN for ASP.NET WEB Forms Applicaiton - How to logout user after configurable inactive time

Padmasekhar Pottepalem 1

We have an application which is build using ASP.NET WEB Forms (.NET Framework 4.6.2). Previously, we were using Windows authentication to authenticate user. Now, we want to change it to Azure AD authentication with MFA with OWIN (Open Id Connect) framework. I was able to do a POC till Azure AD authentication and MFA. However, we have another requirement that, Application should ask user for username and password to re-authenticate after 15 min in active time. I am unable to do this. Even, I am not sure whether it is possible with OpenId connect and Azure because I am new to Azure and SSO. Can someone please help me how I can achieve this? This is really important to us.

I have set Cookie expire time as well but, when cookie is expired it is internally re-authenticating user without asking username and password.

I have attached my Startup class.

using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.Owin;
using Microsoft.Owin.Extensions;
using Microsoft.Owin.Host.SystemWeb;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.Notifications;
using Microsoft.Owin.Security.OpenIdConnect;
using Owin;
using System;
using System.Configuration;
using System.IO;
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;

namespace AzureADWebForms
{
    public partial class Startup
    {
        private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
        private static string aadInstance = EnsureTrailingSlash(ConfigurationManager.AppSettings["ida:AADInstance"]);
        //private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
        private static string tenantId = ConfigurationManager.AppSettings["ida:TenantId"];
        private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutUri"];
        private static string redirectUri = ConfigurationManager.AppSettings["ida:redirectUri"];
        //private string authority = aadInstance + tenantId;
        private string authority = string.Empty;
        public Startup()
        {
            authority = Path.Combine(aadInstance, tenantId);
            //authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, aadInstance, tenant);
        }


        public void ConfigureAuth(IAppBuilder app)
        {
            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(new CookieAuthenticationOptions()
            {
                ExpireTimeSpan = TimeSpan.FromMinutes(2),
                //SlidingExpiration = true,
                Provider = new CookieAuthenticationProvider
                {
                    OnResponseSignIn = OnCustomResponseSignIn,
                    OnValidateIdentity = OnMyCustomValidateIdentity
                }
            });

            app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = authority,
                RedirectUri = redirectUri,
                PostLogoutRedirectUri = postLogoutRedirectUri,
                Scope = OpenIdConnectScope.OpenIdProfile,
                //ResponseType = OpenIdConnectResponseType.IdToken,
                ResponseType = OpenIdConnectResponseType.CodeIdToken,
                UseTokenLifetime = false,
                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    AuthenticationFailed = OnAuthenticationFailed,
                    RedirectToIdentityProvider = OnRedirectToIdentityProvider,
                    SecurityTokenValidated = OnSecurityTokenValidated 
                }

            });

            // This makes any middleware defined above this line run before the Authorization rule is applied in web.config
            app.UseStageMarker(PipelineStage.Authenticate);
        }

        private void OnCustomResponseSignIn(CookieResponseSignInContext context)
        {
            //context.Properties.AllowRefresh = true;
            //context.Properties.ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(2);

            var ticks = context.Options.SystemClock.UtcNow.AddHours(10).UtcTicks;
            context.Properties.Dictionary.Add("absolute", ticks.ToString());
        }

        private Task OnMyCustomValidateIdentity(CookieValidateIdentityContext context)
        {
            bool reject = true;
            string value;
            if (context.Properties.Dictionary.TryGetValue("absolute", out value))
            {
                long ticks;
                if (Int64.TryParse(value, out ticks))
                {
                    reject = context.Options.SystemClock.UtcNow.UtcTicks > ticks;
                }
            }
            if (reject)
            {
                context.RejectIdentity();
                // optionally clear cookie
                //ctx.OwinContext.Authentication.SignOut(ctx.Options.AuthenticationType);
            }

            return Task.FromResult(0);
        }


        private Task OnRedirectToIdentityProvider(RedirectToIdentityProviderNotification

Padmasekhar Pottepalem 1 Reputation point

2022-01-28T02:53:08.337+00:00

I tied to call

HttpContext.GetOwinContext().Authentication.Challenge( new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType);

but still it is not asking username and password but it is internally re-authenticating user

Paul, Prakash 6

Hi,
I also need some tips How to avoid silent authentication?

var properties = new AuthenticationProperties()
                                {
                                    RedirectUri = SuccessRedirect,
                                    AllowRefresh = false,
                                    ExpiresUtc = DateTime.UtcNow.AddMinutes(20)
                                };
                                properties.Dictionary.Add("login_hint", txtUserID.Text + "@Mydomain.com");
                                HttpContext.Current.GetOwinContext().Authentication.Challenge(properties, OpenIdConnectAuthenticationDefaults.AuthenticationType);

I want every time user try to login, insted of silent auth, passward screen must prompt.
any help will be appriciated

Tushar Kamble 6 Reputation points

2022-07-28T17:37:59.383+00:00

Hi @Padmasekhar Pottepalem ,

There is a requirement in my project to impliement Azure AD SSO.

My project is a ASP.NET WEB Forms Applicaiton, can you please share some links or sample code for this.

I am trying but got stuck, On login page I am getting 302 found error but in the response I can see the id_token received from azure.

It will be very helpful if you share some sample code or any inks where I can get code for SSO in ASP.NET WEB Forms Applicaiton.

Also in my application on login page there is local login and sing with microsoft login functionality.

Thanks in advance.
Ramu Choudhary 6 Reputation points

2022-09-02T16:18:15.487+00:00

Hi @Tushar Kamble

Have you got any sample impliement Azure AD SSO with ASP.NET WEB Forms .

If yes please share with me i have also same requirement.

Thanks
Rajan Kumar 5 Reputation points

2023-02-10T11:36:44.44+00:00

hi @Ramu Choudhary

I will provide you this saturday.

please wait
Reeves, Charles 0 Reputation points

2023-02-28T17:44:45.2466667+00:00

Hi,

I also have a Web Forms application that I'm converting to Azure AD authentication with OperIDConnect. I managed to get the authentication to work and the page redirect, but I'm not able to access any claims or user identity. It looks like none of the OpenIdConnectAuthenticationNotifications are firing. Have either of you experienced this and do you know what I should be looking for. I'm stumped at the moment.
Anastácio Gomes 0 Reputation points

2023-04-11T12:36:03.2766667+00:00

hi there! same problems here! any code available?
36091443 5 Reputation points

2023-04-24T14:12:32.7433333+00:00

Hi Guys, i also have same requirement like Asp.net web forms with AD connection validation please share the sample code at ******@gmail.com if u have
shaobin Wang 0 Reputation points

2023-04-27T03:22:25.1133333+00:00

Hi, Gusy, i have the same requirement, would you please share the sample code to me(******@sz.ctil.com), thanks.
shaobin Wang 0 Reputation points

2023-04-27T03:24:50.2033333+00:00

Hi Guys, i also have same requirement like Asp.net web forms with AD connection validation please share the sample code at <Mod remove PII> if u have, thanks.
Jonathan B. Edwards 0 Reputation points

2023-09-27T15:01:14.2933333+00:00

Hi, Guys, i have the same requirement, would you please share the sample code to me also (******@vbschools.com), thanks!
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Krupa Thakker 0 Reputation points

2023-11-29T17:21:48.26+00:00

Hi,

I have similar requirement. I need to authenticate the user using OpenIDConnect in Asp.net Webforms. The login page should be that of the Azure Portal Login Page.

I have registered the application in Azure Portal using Azure AD B2C. Have configured the TenantID, ClientID and SignupsigninpolicyId in my web.config file but I am getting below error instead of the Azure Login page.
Please share the Sample code here. Thank you
Krupa Thakker 0 Reputation points

2023-12-13T17:26:57.9233333+00:00

Hi,

Did you find any solution for this issue?

Thanks
Basu, Sayantan 0 Reputation points

2024-03-13T21:43:55.0633333+00:00

Hi, I am facing the same issue with our application. Could you please share the same example code with us?
Nguyen Van Trang (UTOP.UFO) 0 Reputation points

2024-10-22T04:25:44.8166667+00:00

Hi Guys, I want to set AllowRefresh = false when the request has route = "/signalr".

//Provider = new CookieAuthenticationProvider

//{

// OnValidateIdentity = async (context) =>

// {

// var a = context.Properties.AllowRefresh;

// Console.WriteLine(a);

// context.Properties.AllowRefresh = false;

// await Task.CompletedTask;

// }

//}

I implemented it in OnvalidateIdentity. How about the solution?
Nguyen Van Trang (UTOP.UFO) 0 Reputation points

2024-10-22T04:26:33.1133333+00:00

Hi Guys, I want to set AllowRefresh = false when the request has route = "/signalr".

//Provider = new CookieAuthenticationProvider

//{

// OnValidateIdentity = async (context) =>

// {

// var a = context.Properties.AllowRefresh;

// Console.WriteLine(a);

// context.Properties.AllowRefresh = false;

// await Task.CompletedTask;

// }

//}

I implemented it in OnvalidateIdentity. How about the solution?
Abiram Viswanathan 0 Reputation points

2025-03-22T11:41:00.98+00:00

I have the same scenario but the requirement is reverse. The first id_token expires in 15 minutes and we don't want the users to sign in. I am trying to get the new id_token silently, but it is not working. @openidhttps @Microsoft Entra

1 answer

Your answer

Padmasekhar Pottepalem 1 Reputation point

2022-01-28T02:53:08.337+00:00

I tied to call

HttpContext.GetOwinContext().Authentication.Challenge( new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType);

but still it is not asking username and password but it is internally re-authenticating user
Paul, Prakash 6 Reputation points

2022-05-31T07:12:07.433+00:00

Hi,
I also need some tips How to avoid silent authentication?

var properties = new AuthenticationProperties() { RedirectUri = SuccessRedirect, AllowRefresh = false, ExpiresUtc = DateTime.UtcNow.AddMinutes(20) }; properties.Dictionary.Add("login_hint", txtUserID.Text + "@Mydomain.com"); HttpContext.Current.GetOwinContext().Authentication.Challenge(properties, OpenIdConnectAuthenticationDefaults.AuthenticationType);

I want every time user try to login, insted of silent auth, passward screen must prompt.
any help will be appriciated
Tushar Kamble 6 Reputation points

2022-07-28T17:37:59.383+00:00

Hi @Padmasekhar Pottepalem ,

There is a requirement in my project to impliement Azure AD SSO.

My project is a ASP.NET WEB Forms Applicaiton, can you please share some links or sample code for this.

I am trying but got stuck, On login page I am getting 302 found error but in the response I can see the id_token received from azure.

It will be very helpful if you share some sample code or any inks where I can get code for SSO in ASP.NET WEB Forms Applicaiton.

Also in my application on login page there is local login and sing with microsoft login functionality.

Thanks in advance.
Ramu Choudhary 6 Reputation points

2022-09-02T16:18:15.487+00:00

Hi @Tushar Kamble

Have you got any sample impliement Azure AD SSO with ASP.NET WEB Forms .

If yes please share with me i have also same requirement.

Thanks
Rajan Kumar 5 Reputation points

2023-02-10T11:36:44.44+00:00

hi @Ramu Choudhary

I will provide you this saturday.

please wait
Reeves, Charles 0 Reputation points

2023-02-28T17:44:45.2466667+00:00

Hi,

I also have a Web Forms application that I'm converting to Azure AD authentication with OperIDConnect. I managed to get the authentication to work and the page redirect, but I'm not able to access any claims or user identity. It looks like none of the OpenIdConnectAuthenticationNotifications are firing. Have either of you experienced this and do you know what I should be looking for. I'm stumped at the moment.
Anastácio Gomes 0 Reputation points

2023-04-11T12:36:03.2766667+00:00

hi there! same problems here! any code available?
36091443 5 Reputation points

2023-04-24T14:12:32.7433333+00:00

Hi Guys, i also have same requirement like Asp.net web forms with AD connection validation please share the sample code at ******@gmail.com if u have
shaobin Wang 0 Reputation points

2023-04-27T03:22:25.1133333+00:00

Hi, Gusy, i have the same requirement, would you please share the sample code to me(******@sz.ctil.com), thanks.
shaobin Wang 0 Reputation points

2023-04-27T03:24:50.2033333+00:00

Hi Guys, i also have same requirement like Asp.net web forms with AD connection validation please share the sample code at <Mod remove PII> if u have, thanks.
Jonathan B. Edwards 0 Reputation points

2023-09-27T15:01:14.2933333+00:00

Hi, Guys, i have the same requirement, would you please share the sample code to me also (******@vbschools.com), thanks!
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Krupa Thakker 0 Reputation points

2023-11-29T17:21:48.26+00:00

Hi,

I have similar requirement. I need to authenticate the user using OpenIDConnect in Asp.net Webforms. The login page should be that of the Azure Portal Login Page.

I have registered the application in Azure Portal using Azure AD B2C. Have configured the TenantID, ClientID and SignupsigninpolicyId in my web.config file but I am getting below error instead of the Azure Login page.
Please share the Sample code here. Thank you
Krupa Thakker 0 Reputation points

2023-12-13T17:26:57.9233333+00:00

Hi,

Did you find any solution for this issue?

Thanks
Basu, Sayantan 0 Reputation points

2024-03-13T21:43:55.0633333+00:00

Hi, I am facing the same issue with our application. Could you please share the same example code with us?
Nguyen Van Trang (UTOP.UFO) 0 Reputation points

2024-10-22T04:25:44.8166667+00:00

Hi Guys, I want to set AllowRefresh = false when the request has route = "/signalr".

//Provider = new CookieAuthenticationProvider

//{

// OnValidateIdentity = async (context) =>

// {

// var a = context.Properties.AllowRefresh;

// Console.WriteLine(a);

// context.Properties.AllowRefresh = false;

// await Task.CompletedTask;

// }

//}

I implemented it in OnvalidateIdentity. How about the solution?
Nguyen Van Trang (UTOP.UFO) 0 Reputation points

2024-10-22T04:26:33.1133333+00:00

Hi Guys, I want to set AllowRefresh = false when the request has route = "/signalr".

//Provider = new CookieAuthenticationProvider

//{

// OnValidateIdentity = async (context) =>

// {

// var a = context.Properties.AllowRefresh;

// Console.WriteLine(a);

// context.Properties.AllowRefresh = false;

// await Task.CompletedTask;

// }

//}

I implemented it in OnvalidateIdentity. How about the solution?
Abiram Viswanathan 0 Reputation points

2025-03-22T11:41:00.98+00:00

I have the same scenario but the requirement is reverse. The first id_token expires in 15 minutes and we don't want the users to sign in. I am trying to get the new id_token silently, but it is not working. @openidhttps @Microsoft Entra

Answer 1

Hi @Padmasekhar Pottepalem ,

Thanks for reaching out.

ASP.net core provides ExpireTimespan which controls how much time the authentication ticket stored in the cookie will remain valid from the point it is created.

  .Services.ConfigureApplicationCookie(options =>  
    {  
        options.SlidingExpiration = false;  
        options.ExpireTimeSpan = TimeSpan.FromMinutes(15);  
    });

CookieAuthenticationOptions.ExpireTimespan is the option that allows you to set how long the issued cookie is valid for. As mentioned, the cookie is valid for 15 minutes from the time of creation. Once those 15 minutes are up the user will have to sign back in because the SlidingExpiration is set to false and it will not re-issued any request in halfway through ExpireTimespan.

Also, a cookie-based authentication provider without ASP.NET Core Identity can also be used using absolute expiration time which can be set with ExpiresUtc.

new AuthenticationProperties  
    {  
        IsPersistent = true,  
        ExpiresUtc = DateTime.UtcNow.AddMinutes(20)  
    });

You can try either of ExpireTimeSpan or ExprireUtc , However, when ExpiresUtc is set, it overrides the value of the ExpireTimeSpan option of CookieAuthenticationOptions,if set.

Reference : Absolute Cookie Expiration

Thanks,
Shweta

--------------------------

Please remember to "Accept Answer" if answer helped you.

Padmasekhar Pottepalem 1 Reputation point

2022-01-30T17:55:58.563+00:00

Hi Shweta,

Thank you for response. I tried both ways, but no luck. It is not asking using to enter their credentials even after
".AspNet.Cookies" cookie is expired. Our application is build on ASP.NET WEB Forms (.NET Framework 4.6.2). Is there anything we are mission. Am I mission anything?

our requirement is, if user leave the application ideal for 15 min and then try to use, application should ask user to enter their credentials. However, currently it is re-authenticating user internally and providing access.

We don't want internal re-authentication. User have to go through MFA again. Please let me know, we are really need help ASPA.

Share via

Azure AD Authentication with OWIN for ASP.NET WEB Forms Applicaiton - How to logout user after configurable inactive time

1 answer

Your answer