Cookie expiry in ASP NET Core Authentication using Azure AD OpenIdConnect and custom middleware

Question

I am currently struggling with setting the timeout on the cookie/auth token when authenticating my .NET Core App using Azure AD via the OpenIdConnect authentication model.

The sign-in scheme is being set in the ConfigureServices method via the following:

    services.AddAuthentication(options => options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme);

I am then setting up my configuration as follows:

    app.UseCookieAuthentication(new CookieAuthenticationOptions()
    {
        CookieName = "MyCookie",
        ExpireTimeSpan = TimeSpan.FromHours(2)
    });

    app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions()
    {
        Authority = authorityUri.AbsoluteUri,
        ClientId = azureOptions.ClientId,
        ClientSecret = azureOptions.ClientSecret,
        ResponseType = OpenIdConnectResponseTypes.CodeIdToken,
        Events = new OpenIdConnectEvents()
        {
            OnAuthorizationCodeReceived = async context =>
            {
                await aAuthenticateMiddleware.OnAuthenticate(context, logger);
            }
        }
    });

    app.UseMiddleware<aAuthenticateMiddleware>();

Note, that I am not using the built in Identity (as its not practical for our purposes) but rather using a custom middleware.

Within the middleware layer I am checking whether the user is authenticated and if not a challenge is issued:

    var authenticationProperties = new AuthenticationProperties() { RedirectUri = context.Request.Path.Value ?? "/" };
    authenticationProperties.AllowRefresh = false;
    authenticationProperties.IssuedUtc = DateTime.Now;
    authenticationProperties.ExpiresUtc = DateTime.Now.AddHours(2);
    await context.Authentication.ChallengeAsync(
        authenticationManager.IdentityProvider.AuthenticationScheme,
        authenticationProperties,
        ChallengeBehavior.Automatic
    );

This is all works fine and authenticates the user correctly etc however this is issuing the auth token (and cookie) with a 15 minute expiry and ignoring my 2 hour expiry that I have tried setting.

I have been referring to the latest source examples from GitHub from the aspnet/security repository for examples.... however none of these mention anything about overriding the default expiry issued.

https://github.com/aspnet/Security/tree/dev/samples/OpenIdConnect.AzureAdSample

Most examples I have found are still referencing the old AspNet libraries rather than the AspNetCore libraries.

Some articles suggest that using the SignInAsync with persistent set to True allows the ExpireTimeSpan to be honored, however this throws a "Not Supported Exception" when calling it. Perhaps SignInAsync is not supported via Azure AD?

Does anyone have any insight on how to achieve this?

Answer 1

in UseOpenIdConnectAuthentication set UseTokenLifetime = false