Open Closed

Automatic logout when using AzureAD does not work #6881


User avatar
0
ageiter created
  • ABP Framework version: v8.0.4
  • UI Type: Blazor Server
  • Database System: EF Core (SQL Server)
  • Tiered (for MVC) or Auth Server Separated (for Angular): no

Our customer uses Microsoft Entra ID (Azure AD) as an external provider. A lifetime of 10 hours is configured in the conditional access policy. After 12 hours (or even longer), the page is reopened in the browser, but he does not have to authenticate again. One click on the Microsoft login button is enough and he is logged in. According to the setup in Entra, MFA would be required, but this query does not appear. He only had to do MFA the very first time he logged in.

We have been looking for the cause for a while now, but haven't found anything yet. What are we overlooking?


Second question on this topic: For logins with "local" ABP users (not via Microsoft Entra), we would like to configure that the user is automatically logged out after 15 minutes of inactivity.

I have set the following, but unfortunately this does not work:

PreConfigure<OpenIddictServerBuilder>(builder =>
{
    builder.SetAccessTokenLifetime(TimeSpan.FromMinutes(15));
    builder.SetIdentityTokenLifetime(TimeSpan.FromMinutes(15));
});

Thanks for help! Adrian


3 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    1. We have been looking for the cause for a while now, but haven't found anything yet. What are we overlooking?

    This doesn't sound relevant to abp. You can set the validity period of identity cookies to 10 hours.

    1. Second question on this topic: For logins with "local" ABP users (not via Microsoft Entra), we would like to configure that the user is automatically logged out after 15 minutes of inactivity.

    Same as 1

    https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-configuration?view=aspnetcore-8.0#cookie-settings

  • User Avatar
    0
    ageiter created

    Even though it may not be directly related to ABP, do you know more about it and can perhaps help me anyway?

    I have now tested the cookie expire time. The result of this is that you have to log in to the application again after the corresponding time (which would be good in principle), but the login to Microsoft still happens automatically and without entering a password and MFA.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    I think Microsoft Azure AD should support Federated Sign-out. You can try to call the SignOutAsync

    await Context.SignOutAsync("Microsoft Azure AD Scheme");
    
Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11