locked
Identity disappears from bearer token after an hour RRS feed

  • Question

  • I am working on a multi-tenant solution with Azure AD with web apps and a web api. The web app uses OpenIdConnect to retrieve a bearer token (which is cached in Azure Redis Cache), which is used in Angular to get JSON from the web api. User impersonation is used between the web app and web api (set up in Azure AD applications).

    Problem

    This works fine for about an hour, then the Identity suddenly disappears on the web api side. If I refresh the web app, I see that the page is redirected to the Microsoft login page, but no action is required since the user is just redirected back to the web app and everything works again. As far as I can see, the web app uses the same bearer token when it fails and after the refresh (same expire time) when it works again. AuthenticationContext.AcquireTokenSilent works in both scenarios.

    I have tried to increase a lot of different timeouts, but nothing has helped. I have also disabled all but bearer token authentication on the web api. I do not understand why the identity disappears and why it helps to refresh the client. Any ideas? :)

    Additional info

    This is how the RequestContext.Principal.Identity looks for about an hour after login or a refresh (on the web api):

    enter image description here

    And this is after about an hour, which causes authentication to fail:

    enter image description here

    Some of the code changes I have tried out:

    In web api HttpConfiguration:

    config.SuppressDefaultHostAuthentication();
            config.Filters.Add(
                new HostAuthenticationFilter(
                    new WindowsAzureActiveDirectoryBearerAuthenticationOptions().AuthenticationType));
    

    This changed the unauthenticated principal from WindowsPrincipal to ClaimsPrincipal, but it still fails after an hour.

    WindowsAzureActiveDirectoryBearerAuthenticationOptions BackChannelTimeout set to 5 days. Still fails
    

    In the web app web.config:

    sessionState timeout="525600" for RedisSessionStateProvider. Still fails
    

    In the web app owin auth process, increased timespan and added sliding expiration. Still fails:

    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                CookieSecure = CookieSecureOption.Always,
                ExpireTimeSpan = TimeSpan.FromDays(5),
                SlidingExpiration = true,
                CookieHttpOnly = true
            });
            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = ClientId,
                    Authority = Constants.CommonAuthority,
                    UseTokenLifetime = false
        …

    Question is also asked on Stackoverflow: http://stackoverflow.com/questions/26925463/identity-disappears-from-bearer-token-after-an-hour

    Thursday, November 20, 2014 6:36 AM

Answers

  • Hi Bjorn,

    I replied on StackOverflow.

    thanks

    V.


    Vittorio [MSFT]

    • Marked as answer by Arvind S. Iyer Monday, December 1, 2014 11:03 AM
    Tuesday, November 25, 2014 10:17 PM

All replies

  • Hello!

    Thanks for reaching out here.

    We're investing into this question. Shall keep this thread updated at the earliest with our feedback.

    Thank you,

    Arvind

    Thursday, November 20, 2014 9:10 PM
  • Hi Bjorn,

    I replied on StackOverflow.

    thanks

    V.


    Vittorio [MSFT]

    • Marked as answer by Arvind S. Iyer Monday, December 1, 2014 11:03 AM
    Tuesday, November 25, 2014 10:17 PM