This project has moved. For the latest updates, please go here.

WsFederation Middleware and Token Expiration

May 7, 2014 at 7:53 PM
Hi, I am using Microsoft.Owin.Security.WsFederation component and it works great. I receive a token back from Identity Provider. But the problem is that it doesn't respect the Token's expiration date. So, even after token has expired I am able to call WebApi Controller's actions and am allowed to do that by the framework. Is there something I need to set for this to work properly?
Coordinator
May 7, 2014 at 7:57 PM
We are designing this right now. The current problem is that the cookie doesn't know anything about the token expiration date. The cookie also has sliding refresh enabled by default, so it keeps renewing itself so long as the user stays active.

In the short term you can disable sliding refresh on the cookie middleware options, and specify how long you want cookies to live.
Marked as answer by serguk86 on 5/7/2014 at 3:37 PM
May 7, 2014 at 8:18 PM
thanks for quick response. I tried that and it does what is expected - redirects me to ADFS server which reissues the token without the prompt for a user to login. So, the cookie is refreshed. What I would like to do when timeout occurs is to redirect to "/logout" and let it completely sign out and allow the user to login again. So, I specified LoginPath on CookieAuthenticationOptions and set the route to be "/logout". Also, I mapped "/logout" with Owin:

appBuilder.Map("/logout", map =>
        {
            map.Run(async ctx =>
            {
                ctx.Authentication.SignOut();
                ctx.Response.Redirect("/");
            });
        });
but this mapped route "/logout" is not triggered after token is expired. If I browse to logout - it logs the user out with no issues.

Thanks,
Serg
May 7, 2014 at 9:00 PM
One more question, when is the expected date of delivery for the expiration stuff to work out of the box?
Coordinator
May 7, 2014 at 9:03 PM
You can't use the cookie to automatically trigger a logout because when the cookie expires the browser will stop sending it. I think you'd need two cookies to manage this, one set to the token lifetime and one with the default settings to just track users. If the tracking cookie is present and the auth cookie is missing then you could trigger a logout.
Marked as answer by serguk86 on 5/7/2014 at 3:37 PM
Coordinator
May 7, 2014 at 9:12 PM
We should get expiration stuff working in the next week or two.
Marked as answer by serguk86 on 5/7/2014 at 3:37 PM
May 7, 2014 at 9:31 PM
great, thanks! When is the expected release of "Microsoft.Owin.Security.WsFederation" middleware (still beta)? couldn't find the information on this component itself.