Menu
I have a simple ASP.Net Web-APP using Azure AD with Role/Claims Authentication/Authorization. Basically app checks IsinRole() for the user and then depending on what is returned he gets access to the area of the web-app. We are using SECURITY GROUPS in Azure AD. Scenario here is a User belongs to Group1 and upon login to web-app he gets access to Group1 area, now Administrator at the backend adds the user to Group2 as well what we want is without the user loging out and loging back-in the portal we want his token to contain this newly added Group2 as well. Is there anyway to refresh the token to have the additional group2 added for that users token without him loging out and in the app?
Any way to force refresh the token with new information?
Appreciate your help.
Thank you.
434
Refresh Token to Acquire new Access Token
One approach could be to use a Refresh Token to acquire a new Access Token if you're using a grant like Authorization code grant in your web application.
You can read more about it here - Refreshing the Access Tokens
Your application will need to decide when to acquire a new access token.. so it can do that when it's aware that group membership has been updated by a backend component/admin.
Now a separate topic that you haven't mentioned much about is how would your web application where user is already signed in, get to know about such an event, but something like a SingalR notification could possibly help.
Things to note:
Working with Refresh tokens can be a little brittle as they can get revoked for reasons not controlled by your app (e.g. password change for user, expiration although that's long and other reasons too). In case of such errors, getting a new authorization code would be the only option left.
Refresh tokens must be kept securely
Specifically in case of groups claims there can be overage scenarios where access token alone may not help.
Alternative approach (instead of trying to force refresh the token with new information as you mention)
If groups claim is what you're after, then make use of Microsoft Graph API to get information about security groups that user belongs to instead of looking at just the access token.
Your application code can call Microsoft Graph API again at any point to get new membership details i.e. Group 1 and Group2 as per your example (when it's aware that group membership has been updated by a backend component/admin). SignalR or some other way to notify your app of such changes would be relevant here as well.
Relevant Microsoft Graph API's
user:GetMemberGroups
POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/getMemberGroups
This is just one that seems relevant to me, but there are other similar API's like memberOf and you can choose based on your requirement.
Advantages
You get around any overage scenarios where user belongs to many groups, so access token doesn't provide you all the group information you need any way.
You don't need to force a logout and login back again for user in order to get access token with fresh information.
Overage Scenario details for groups claim in access token
Currently you may have edited your application's manifest and set "groupMembershipClaims" property to "All" or "SecurityGroup" so that access token gets groups claim with all group ids to which user belongs
To ensure that the token size doesn't exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in the groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user's group membership.
199
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
