We have an ASP.NET Core MVC 8.0 web application that we're having an issue with that started occurring at some point in the last few weeks. We use OpenID Connect via OKTA. We have policies set up in OKTA that require the user to login with credentials every 24 hours. We have always overridden the 1 hour session expiry where if a user is inactive for an hour or more it performs a "silent" authentication (when they navigate to another page you can see it being briefly redirected to OKTA before proceeding). Reason for overriding this is we have some larger forms that sometimes require longer than one hour to complete and if it times out while completing the form, the form data is lost. The code below was previously working and would prevent the "silent" authentication from happening until the specified expiry time. The only thing we've changed is to update to the latest version of OpenID Connect from Nuget due to security vulnerabilities (we were some minor versions behind)
Here is the relevant sections of my Open ID Connect code in program.cs:
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
options.AccessDeniedPath = "/Home/NotAuthorized"; //redirect to custom not authorized view
//options.Cookie.IsEssential = true;
options.ExpireTimeSpan = TimeSpan.FromMinutes(120);
options.Cookie.MaxAge = TimeSpan.FromMinutes(120);
options.SlidingExpiration = true;
options.Cookie.HttpOnly = true; // not accessible via JavaScript
//options.Cookie.Name = "OktaAuth2";
//make cookie persist otherwise you need to enter credentials every time
options.Events.OnSigningIn = ctx =>
{
ctx.Properties.IsPersistent = true;
// ctx.Properties.AllowRefresh = true;
ctx.Properties.ExpiresUtc = DateTime.UtcNow.AddMinutes(120);
return Task.CompletedTask;
};
})
.AddOpenIdConnect(options =>
{
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.Authority = OpenIDConnectAuthority;
options.UseTokenLifetime = false;
options.ClientId = OpenIDConnectClientID;
options.ClientSecret = OpenIDConnectSecret;
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
options.GetClaimsFromUserInfoEndpoint = true;
options.SaveTokens = true;
options.Scope.Add("openid");
options.Scope.Add("profile");
// options.Scope.Add("groups"); //uncomment this to use groups brought over from identity provider for role checking User.IsInRole()
options.Scope.Add("email");
options.SignedOutRedirectUri = OpenIDConnectRedirectURL;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "preferred_username",
// RoleClaimType = "groups" //uncomment this to use groups brought over from identity provider for role checking User.IsInRole()
};
options.TokenValidationParameters.ValidateIssuer = true;
});
We tried commenting and uncommenting various parameters suggested in other stack overflow questions. One user said removing the cookie name worked for them - did not for us. We added the code to the SigningIn Event as per another suggestion. Nothing seems to have any effect and like I said previously, this worked without issue a few weeks ago. We've asked our Information Security team if they've made any changes in OKTA that would cause this behavior and they said no. I'm not sure it could affect this anyway since we were overriding with a cookie. Any ideas?