IdentityServer4 Force User to re-enter credentials

Question

I am using IdentityServer4 and an MVC client. When the clients session expires I want my users to be forced to login again. However no matter what I do IdentityServer seems to automatically log the user back in when the session ends.

My Startup in the client is (session is 30 seconds to test)

services.AddAuthentication(options =>
        {
            options.DefaultScheme = "Cookies";
            options.DefaultChallengeScheme = "oidc";                                                
        })
            .AddCookie("Cookies", options => { options.ExpireTimeSpan = new TimeSpan(0, 0, 30); })
            .AddOpenIdConnect("oidc", options =>
            {
                options.SignInScheme = "Cookies";

                options.Authority = identityUrl;
                options.RequireHttpsMetadata = false;

                options.SaveTokens = true;                  
                options.GetClaimsFromUserInfoEndpoint = true;

                options.Scope.Add("Billing");
                options.Scope.Add("offline_access");

                options.UseTokenLifetime = false;                   
            });

Then my config in IdentityServer is as follows:

new Client
            {
                ClientId = "Test",
                ClientName = "Test",
                AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

                AlwaysIncludeUserClaimsInIdToken = true,

                RequireConsent = false,

                IdentityTokenLifetime = 30,
                AccessTokenLifetime = 30,

                ClientSecrets =
                {
                    new Secret("secret".Sha256())
                },              

                RedirectUris = { billingUrl + "/signin-oidc" },
                PostLogoutRedirectUris = { billingUrl + "/signout-callback-oidc" },

                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "Billing",
                    "role",
                    "VisionBlue.Cloud.BillingAPI"
                },

                AllowOfflineAccess = true
            },

Using fiddler I can see after 30 seconds a request is sent to /connect/authorize on the IdentityServer which is automatically logging the user in again.

Any ideas? I have set all timeouts to 30 seconds as a test.

Answer 1

Use the OpenID Connect parameter of prompt=login on your authorization request (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). This will tell IdentityServer that you want the user to re-authenticate instead of using SSO or IdentityServer session length.

You should be able to do this in ASP.NET Core using in your OpenIdConnectOptions:

options.Events.OnRedirectToIdentityProvider = context =>
{
    context.ProtocolMessage.Prompt = "login";
    return Task.CompletedTask;
};

There might be an easier way to set this though.

Answer 2

The accepted answer is correct but there is another option and that's the max_age param. With that you can specify the max allowed time since auth_time and it will automatically prompt the user to authenticate again if this time is exceeded. You can also check the auth_time claim in the id_token when signing it to ensure that it's within your desired window. I'd recommend this as it's easy for end users to remove prompt=login or max_age=xxx from the authorize request should they wish to.