search

IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana
https://identityserver.github.io/Documentation/
Apache License 2.0
2.01k stars 763 forks source link

Force users to login for authorization endpoint #3895

Closed Kahbazi closed 7 years ago

Kahbazi commented 7 years ago

Hi, is there anyway from server side to force users to Login for every request to authorization endpoint beside using prompt=login?

brockallen commented 7 years ago

Change the cookie lifetime to be very very short in IdSvr.

Kahbazi commented 7 years ago

Thanks. That was my first solution, but I couldn't do this because of security issues. This is what I write, and I really appreciate you giving your opinion about my solution.

In IdentityServer I disabled LocalLogin and write an external Login Provider. whenever a user login successfully via login provider I add signinid to user's claims and to a static List.

I also write a middleware and put it between IdentityServer Cookie Authentication and IdentityServer WebApi. In this middleware I get signinid from claims and check if it does not exists in the List I add the prompt=login QueryString.

Do you think this is a good idea?

brockallen commented 7 years ago

Really not sure... I'd have to work thru your scenario. Sorry.

Kahbazi commented 7 years ago

ok, thanks.