In the default template for ASP.NET MVC 5, there is the option of selecting "Remember this browser" when logging in using two factor authentication.
In ASP.NET MVC, this involves configuring app.UseTwoFactorRememberBrowserCookie();
in Startup.Auth.cs
and then using SignInManager.TwoFactorSignInAsync()
with isPersistent: true
I would like to accomplish the same but using ASP.NET Web API with OAuth2 Bearer Tokens.
I.e. I would like the user to be able to log out (or be auto logged out). But the next time when logging in using the same browser, the user only has to provide the password, not two factor authentication.
How would I go about implementing such behavior using OAuth2 Bearer Tokens?
For local login, Web API uses the resource owner password flow defined in OAuth2. The user enters a name and password into the client. The client sends these credentials to the authorization server. The authorization server authenticates the credentials and returns an access token.
Web API assumes that authentication happens in the host. For web-hosting, the host is IIS, which uses HTTP modules for authentication. You can configure your project to use any of the authentication modules built in to IIS or ASP.NET, or write your own HTTP module to perform custom authentication.
In IIS Manager, go to Features View, select Authentication, and enable Basic authentication. In your Web API project, add the [Authorize] attribute for any controller actions that need authentication. A client authenticates itself by setting the Authorization header in the request.
Well, in my opinion it's the client side's issue and I would like to rephrase your question into "What is the best place to store authentication tokens in client side?"
You have a couple of options:
With option one, when the tab/browser is closed the token is still alive and next time you are automatically logged in.
$window.sessionStorage.setItem('userInfo-token', 'tokenData');
With option two you can save the token into a cookie and retrieve it when you are going to send a request to the server.
Of course both options have pros and cons, for more information I recommend you reading Where to Store your JWTs – Cookies vs HTML5 Web Storage
I suggest that you need to take more control of the authentication solution and implement your own LoginController with a different login implementation with a "remember this browser" cookie that you create, after a successful ASP.NET Web API OAuth2 Bearer Tokens login exists, on the users browser. Just like ASP.NET MVC app.UseTwoFactorRememberBrowserCookie() does.
If the user logs in with two factor, then logs out,you place a cookie on that browser,"remember me for 30 days" cookie,next time they login,you check for the unexpired cookie and allow login with password only to a different login method other than OAuth2 Bearer Tokens.
You are in control and you do not need ASP.NET Web API OAuth2 Bearer Tokens to solve your entire login solution.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With