The flow I am trying to figure out is this:
- UserA is logs into ClientA
- ClientA redirects to Idenitity Server to authenticate user
- after authentication ClientA manages User info in its own system
- UserA is found to be a "bad actor"
- AdminUser goes into IdentityServer AdminTool (a different client application for managing the IdentityServer, including users).
- AdminUser performs an action to "revoke" UserA
- A call is made to the IdentityServer back-end from the admin tool where UserA has an "Enabled" property that is set to false.
At this point in the flow I want to kick the user out of ClientA from the back-end of the IdentityServer.
More context: IdentityServer is using cookies in the client browser to keep the "session" (not sure if that is the right word cause there isn't actually any state being managed). Also using cookies for remember-me.
Is there a way to remove the cookie for the IdentityServer from the back-end? Or notify the client that UserA should no longer have a valid authentication so that it can perform HttpContext.SignOutAsync()?
I was reviewing this link: https://docs.identityserver.io/en/latest/topics/signout.html for guidance but I am stuck on how to do this from the back-end as the AdminUser. Calling HttpContext.SignOutAsync() would sign out the AdminUser that made the request, not UserA that is causing havok in ClientA.
CodePudding user response:
In a typical setup with identity server you have:
- A JWT token with a short lifetime
- A session cookie
The JWT token needs to be renewed frequently. The session cookie is used when there's no valid JWT. In this case the user will be redirected to the login page and if there's a session cookie the user will be automatically authenticated and redirected back to client app.
So you have some options for your logout:
- Ensure the user cannot renew his JWT (= logout after a few minutes)
- Ensure the user cannot login again
- Really clear everything in the browser (and ensure he cannot login/renew again)
Back to your question
Is there a way to remove the cookie for the IdentityServer from the back-end?
The answer here is WebSockets which allows a two-way communication.
A common library for C# is Signal/R
You would create a Hob on the server side that allows you to send messages to the "bad user".
And listen for those messages in your client app:
Please note: Whatever you do on the client side, the important part is typically to block the server requests. It's not secure to delete the cookie on the client. You have to delete the session on the server side instead.
Additional notes:
- The flows in your setup may be different from what I described above.
- I know, this is just a partial answer, but it's too much content for a comment ;-)