Search code examples
azureasp.net-core.net-coreazure-active-directory.net-core-2.2

Azure Active Directory - user's group claims are not up-to-date

I have a .NET Core webapp that uses Azure Active Directory to authenticate users. I have configured the app access in Azure AD and then I put this in my Startup class:

//Use Azure Active Directory OAuth 2.0 authentication
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
        .AddAzureAD(options => Configuration.Bind("AzureAd", options)); //AzureAD settings are stored in appsettings.json

This work correctly and users can successfully authenticate with their Azure AD company account.

However, inside one of my controllers I need to check which security groups the user is a member of, to perform some security checks. So I use this code to check if the user is part of a certain security group:

var groupClaims = User.HasClaim(claim => claim.Type == "group" && claim.Value == mySecurityGroupUid);

This works... kind of.
The problem is that the collection of Claims inside the User object is only updated when the user logs out of the web app and logs back in. If the user does not explicitly log out of the webapp and log back in, the list of claims does not update.

This is a big problem, because it means that if, for example, I remove a user from a security group, that change will not be reflected in my webapp until the user logs out. This means that the user might be able to access data that he is not authorized to access anymore, because the webapp still thinks he belongs to the old set of groups.

Even stopping and re-deploying the web application does not update the groups, the only way I found to force the groups to update is to have the user explicitly logout of the webapp and log back in.

So my questions are:

  • Is this the intended behavior? Or am I doing something wrong?
  • Is there a way to force the list of claims to "sync" with Azure AD?
  • If not, is there a way I can forcibly log out all users when my webapp stops and restarts, so I know all users are forced to log back in, which in turn will update their claims?
Solution

  • I solved this by using the implementation posted here:

    https://stackoverflow.com/a/51210553/300741

    This approach uses a ram-backed server-side object to store session data, so instead of all user info and claims being in the cookie they're stored on the server and the cookie just contains a token that the server uses to identify the session. This guarantees that sessions are cleared when the webapp restarts, solving my problem.