I am using the standard ASP.net OWIN OAuth middleware system to authenticate local users with Bearer tokens. I was thinking of embedding roles as a claim in the token, but was wondering how I would be able to change a users role such as taking away admin privileges without them logging out. Any ideas?
1 Answers
It's always possible to implement some dirty solutions to support your problem, for example : When the roles have changed then raise an even in a queue like RABBITMQ / NServiceBus (or via event). The subscriber (website) will invalidate the cookie and regenerate a new one with new claims.
I don't see the issue with waiting for the cookie is expired. In fact a bearer token (identity or access) has an "expires_in" property, so even if your cookie is regenerated with new claims, the token is still valid in the provider. Another remark your permissions can be returned by a UMA server, they shouldn't necessarily comes from your claims. Take a look to this scenario : http://lokit.westus.cloudapp.azure.com/Documentation#third-scenario-limit-access-to-certain-website-features