brockallen
commented
8 years ago Understanding that newly added claims do not become operative within a current session - the user has to have logged in to see the effect of a new claim.
Or you can just re-issue the cookie if the app knows the claims have changed.
In any event, this issue is not a MR specific problem -- it's a data in 2 places problem. If the data changes then your app somehow would need to know it's changed and re-issue the cookie.
justSteve
Understanding that newly added claims do not become operative within a current session - the user has to have logged in to see the effect of a new claim.
I'm struggling with scenarios where users are returning to my site into an authenticated session based on the FedAuth cookie but do not see claims that were added since their last visit. But as soon as they logoff and re-log in, the claim is visible.
I'm using the UserClaims table in what I believe to be the correct convention - I have a FK relation to UserAccounts and add claims of my own type as the result of user transactions. So the user could have multiple UserClaims of type:
http://myDomain.com/ws/2014/01/identity/claims/DisplayMaterial:If the claim with OrderId 117314 was issued since the user's last visit/login, it's not visible until he logs off and back in.
I can't be sure but I believe this is intermittent. Based on my site's overall volume vs the number of problem reports I'm getting I have the sense that at least some users are seeing newly added claims without the logoff/login requirement.
It would be very helpful to have a definitive understanding of what I should expect (in terms of Claims behavior) in situations where authentication is via FedAuth instead of the explicit login dialog.
In case it comes into play - I'm using a fairly old version of MR