Azure B2C Persistent Cookie

4
votes

I am using Azure B2C with one identity provider configured (LinkedIn). I have a Web API (b2c bearer auth) and a Web App MVC (b2c Open Id).

I'm trying to create a persistent login - meaning the user can login via LinkedIn once every 90 days from the given device+browser.

The closest I've gotten is when I added IsPersistent = true code in the web app to enable that:

Update: Updated code based on Azure B2C GA. To achieve where I was at with Preview, I still use a custom authorize attribute, but the code was updated:

protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
          filterContext.HttpContext.GetOwinContext().Authentication.Challenge(
            new AuthenticationProperties()
            {
                IsPersistent = true
            });
        base.HandleUnauthorizedRequest(filterContext);
    }

However, this is only valid for about 1 hour. Perhaps it is following the Access & ID policy? With no bounds on the refresh token - I am not sure why only 1 hour for "IsPersistent".

Token Session Config in Azure

So that leads to these questions:

  1. Is a Persistent session (60-90 days) something I can achieve with Azure B2C (OpenId Connect)?
  2. If so, any pointers on what I am missing? Do I need to do some custom cookie validation? Something with refresh tokens (I use them for the web api, but nothing custom in the web app).

Any thoughts or input would be great!

1
azure-active-directoryazure-ad-b2c

1 Answers

2
votes

I have been able to achieve a persistent session with B2C after doing the following:

  1. Custom Authorization Attribute

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
    filterContext.HttpContext.GetOwinContext()
         .Authentication.Challenge(
              new AuthenticationProperties() { IsPersistent = true }
          );
    base.HandleUnauthorizedRequest(filterContext);
}

  2. Use Microsoft.Experimental.IdentityModel.Clients.ActiveDirectory instead of BootstrapContext (basically went with the pre-GA code sample (view change history) -> https://github.com/AzureADQuickStarts/B2C-WebApp-WebAPI-OpenIDConnect-DotNet). The ADAL library handles the getting a proper token transparent to my code.

  3. Implemented custom TokenCache (based the EFADAL example here: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-multitenant-openidconnect/blob/master/TodoListWebApp/DAL/EFADALTokenCache.cs)

  4. Changed Startup.Auth.cs:

    return new OpenIdConnectAuthenticationOptions
{
    MetadataAddress = String.Format(aadInstance, tenant, policy),
    AuthenticationType = policy,
    UseTokenLifetime = false,
    ClientId = clientId,
    RedirectUri = redirectUri,
    PostLogoutRedirectUri = redirectUri,
    Notifications = new OpenIdConnectAuthenticationNotifications
    {

        AuthenticationFailed = OnAuthenticationFailed,
        AuthorizationCodeReceived = OnAuthorizationCodeReceived,
    },
    Scope = "openid offline_access",
    ResponseType = "code id_token",

    TokenValidationParameters = new TokenValidationParameters
    {
        NameClaimType = "name",
        SaveSigninToken = true,

    },
}