- ABP Framework version: v8.0.4
- UI Type: Blazor Server
- Database System: EF Core (SQL Server)
- Tiered (for MVC) or Auth Server Separated (for Angular): no
Our customer uses Microsoft Entra ID (Azure AD) as an external provider. A lifetime of 10 hours is configured in the conditional access policy. After 12 hours (or even longer), the page is reopened in the browser, but he does not have to authenticate again. One click on the Microsoft login button is enough and he is logged in. According to the setup in Entra, MFA would be required, but this query does not appear. He only had to do MFA the very first time he logged in.
We have been looking for the cause for a while now, but haven't found anything yet. What are we overlooking?
Second question on this topic: For logins with "local" ABP users (not via Microsoft Entra), we would like to configure that the user is automatically logged out after 15 minutes of inactivity.
I have set the following, but unfortunately this does not work:
PreConfigure<OpenIddictServerBuilder>(builder =>
{
builder.SetAccessTokenLifetime(TimeSpan.FromMinutes(15));
builder.SetIdentityTokenLifetime(TimeSpan.FromMinutes(15));
});
Thanks for help! Adrian
3 Answer(s)
-
0
hi
- We have been looking for the cause for a while now, but haven't found anything yet. What are we overlooking?
This doesn't sound relevant to abp. You can set the validity period of identity cookies to 10 hours.
- Second question on this topic: For logins with "local" ABP users (not via Microsoft Entra), we would like to configure that the user is automatically logged out after 15 minutes of inactivity.
Same as 1
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-configuration?view=aspnetcore-8.0#cookie-settings
-
0
Even though it may not be directly related to ABP, do you know more about it and can perhaps help me anyway?
I have now tested the cookie expire time. The result of this is that you have to log in to the application again after the corresponding time (which would be good in principle), but the login to Microsoft still happens automatically and without entering a password and MFA.
-
0
hi
I think Microsoft Azure AD should support
Federated Sign-out
. You can try to call theSignOutAsync
await Context.SignOutAsync("Microsoft Azure AD Scheme");