Identityserver4.admin: Refresh Token after User Changes Role

Created on 27 Sep 2018 · 5Comments · Source: skoruba/IdentityServer4.Admin

Hi,
First, thank you for this great job I appreciate it a lot :) . My question is :
The user remains logged in and accesses AdminUI when I delete the Role, How to block access or redirect to an error page?
Thank you :)

question

Source

houssam-saissi

All 5 comments

Hi @houssam-saissi
It's great question.

You can use your implementation of method - ValidatePrincipal and check information about user/roles from cookie like this:
https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-2.1&tabs=aspnetcore2x#react-to-back-end-changes

If user has invalid role for administration you can reject access:

context.RejectPrincipal();
await context.HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);

I hope it will help for your scenario. :)
Thanks!

skoruba on 27 Sep 2018

👍1

Hi @skoruba ,

Hum i see ^_^ thanks for the solution. However, i am confused between claims and permissions uses. i want to use identiyserver for access limit operations data. For example : grant user CRUD or denied it without logged out. It is rather how to use a combination between Identityserver and Aspnet.Identity.

Thank you :)

houssam-saissi on 29 Sep 2018

Hi @houssam-saissi
can you please describe specific situation? :) I need more context.
Thanks!

skoruba on 1 Oct 2018

Any update? - @houssam-saissi :)

skoruba on 23 Oct 2018

Hello @skoruba,
Yes, on StartupHelpers.cs, I changed:
context.Properties.ExpiresUtc = new DateTimeOffset (DateTime.Now.AddHours (1)); and the token refreshes every hour so all permissions and roles are up to date ^_^

houssam-saissi on 24 Oct 2018

👍1

Was this page helpful?

0 / 5 - 0 ratings