Situation
I have to work on an MVC5 application which uses ASP.Net Identity (2.2.3). In the OnValidateIdentity-callback of the CookieAuthenticationProvider I check from time to time (the timespan is configurable) whether the configuration of the user has changed and hence the user’s identity (IIdentity) must be updated. To write back the renewed identity (and its changed claims) to the user’s cookie, I call SignIn on the IAuthenticationManager and provide it with the refreshed identity:
context.OwinContext.Authentication.SignIn(context.Properties, refreshedIdentity);
Issue
In general, this works fine. However, it messes around with the sign out, in case that the user tries to log out within the very request which is also used to renew the identity.
When using simple password based cookie authentication, the result is, that I have to call in the logout action the IAuthenticationManager.SignOut operation providing the explicit authentication type as follows:
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie)
The parameterless SignOut-Operation does not work anymore. Looking at the ms source code of the implementation, I think, I understand, why this is and I can live with it perfectly.
However, if a I have activated WS Federation via IAppBuilder.UseWsFederationAuthentication() (Microsoft.Owin.Security.WsFederation 4.1.1), the side effects are massively more serious. Every request, which tries to sign out the user and also renews the identity in the same request (the renewal takes place before the sign out), leads to a signed out user on the IDP, however, a still signed in user at the local system. I have not found a way to circumvent this behavior.
As an additional information, ResponseSignOut and its callback is also never called on the CookieAuthenticationProvider, if the described constellation occurs.
I tried various other ways to renew the identity and its claims (e.g. previously calling SignOut, using ReplaceIdentity etc), however I have not found any working way. Searching the internet, it seems commonly agreed, that a re-sign-in via IAuthenticationManager.SignIn is the way to go, to renew the identity information in the user’s cookie.
Has anybody experienced the same problems and found a solution or has anybody an idea, how to prevent this side effects on ws federation (or in general) to happen?
After poking around some more, I realized, that the WS Federation middleware has its own AuthenticationType, which is named "Federation", and which is not visible when looking at the IAuthenticationManager.AuthenticationResponseGrant instance when signing out.
After providing the "Federation" literal as one of the authentication types in SignOut or assigning an explicit AuthenticationType to the federation middleware, the logout worked as expected:
AuthenticationManager.SignOut([other authentication types],"Federation");
What I haven't brought to work until now, is the parameterless SignOut. Since I don't see the federations's authentication type in the AuthenticationResponseGrant, I'm not able to write an extension or some other generic code which signs out reliable every time without the need to provide at least one AuthenticationType parameter value for SignOut.