Kick user session out from own controller action method serverside - identityserver3

In IdentityServer3 do we have any extension method like owincontext.Environment.logoutCurrentSession for the logged in user. We have our own custom login pages and logout page and we already have our own logout page where we used to logout the existing user through context.Authentication.Signout stuff.

In Identity Server you need to call LogoutEndPoint with user IdentityToken for logout user and end of session. Also you must cleanup to cookie with SignoutCleanup. I think, first you need to read documentation of Identity Server 3.
Logout EndPoint Usage

Related

Keycloak authentication - how to set remember_me to the api request

I have keycloak version 20 installed, and api request to authenticate with username and password via REST API. I want to add remember_me to the request body, so I can extend the users refresh token (if the user wants it). Is that possible? I don't want to extend the refresh token lifespan for all sessions.
The API call is to the URI
/realms/{realm}/protocol/openid-connect/token
I also enabled the remember me for the realm, and it is available if I authenticate in the browser.
I have keycloak version 20 installed, and api request to authenticate
with username and password via REST API. I want to add remember_me to the request body, so I can extend the users refresh token (if the user wants it). Is that possible?
I am afraid this is not possible with Direct Access Grant Flow
From the Keycloak documentation section about the Remember Me functionality:
A logged-in user closing their browser destroys their session, and
that user must log in again. You can set Keycloak to keep the user’s
login session open if that user clicks the Remember Me checkbox upon
login. This action turns the login cookie from a session-only cookie
to a persistence cookie.
In Keycloak this feature relies on the browser cookies to work. For example, if you login with a user in one browser and then try to access the same account in another browser you are forced to authenticate the user again. It only works in the same browser (if cookies are enabled) because it was there where the cookie was originally created. Consequently, out-of-the-box, I do not see how this would work with the Direct Access Grant flow.

Is it possible to renew long lived access token in Facebook using an api call?

Facebook documentation states that
. At any point, you can generate a new long-lived token by sending the person back to the login flow used by your web app - note that the person will not actually need to login again, they have already authorized your app, so they will immediately redirect back to your app from the login flow with a refreshed token - how this appears to the person will vary based on the type of login flow that you are using, for example if you are using the JavaScript SDK, this will take place in the background, if you are using a server-side flow, the browser will quickly redirect to the Login Dialog and then automatically and immediately back to your app again.
What does it mean that the person does not actually need to login? Does not he have to pass his credentials again? If not how does FB is authenticating the user and getting the refreshed access token?
Yes but you need that the user visits your web app. Then you check for login status, if it is "connected" you will get a new short-lived token without even making the user login again. That's because the token has information about apps already authorized by user. If not the case or the user hasn't login in FB then you need to call the login function.
Once you have the token you can create a new long-lived token again.

DNN single sign on through webservice

I have implemented SingleSignOn for my DNN site say www.example1.com. There is another site called www.example2.com. Both the sites will redirect to a common login page which uses a webservice to authenticate the users from external database.
The problem is, when i clicks on login button in example1.com, the user will be redirected to common sso login page, and after successful authentication, he will be redirected back to the original site. If I opens a new tab and enters the url that example2.com, the user is not being logged in.
But, if i clicks on login button in example2.com, the user is automatically getting logs in.
What I want exactly is, when I logs into one site in first tab and opens another site in the second tab, on the page load only the user should be logged in, but not on the login click.
How can I handle this issue ? Any help is appreciated.
I do something similar to this.
Your database should track users currently logged in. Before you redirect to the common login page, you should check if the user is logged in. Your example2.com is not checking to see if the user is logged on before redirecting to the common login page.
Here is how ours works:
Both sites must check for cookie/Token before redirecting
User Logs into site and is Authenticated
Writes User to Token database
Stores Token in cookie with expiration
Subsequent requests read the token from the cookie and validate against Token database
When user logs out, cookie and database entry are deleted
If user does not log out properly, you must clean up tokens on a set interval

Custom Authorize attribute for Facebook

I'm trying to create a custom Authorize attribute for my MVC 3 application. I know that there is a default FacebookAutorize attribute that checks if the user is logged in. The reason why I want to create a Custom attribute is that the user is able to create an account with Facebook or without (default membership) Facebook.
Now when the user is logged into facebook I want to get the connected membership account and call the FormsAuthentication.SetAuthCookie method to login.
When I run my application in VS2010 (F5) the user is not logged in so you get the login page. When I click the login button and redirect to the homecontroller index action I see in the custom attribute that the FacebookWebContext.Current.IsAuthenticated() methoded is true.
After I close the browser and hit F5 again in VS the website is navigated to the homecontroller index again. In that moment the custom authorize is called again and I see that the FacebookWebContext.Current.IsAuthenticated() returnes false.
Why is it false? I was already authenticated right?
Thanks
download the latest source code and checkout "CS-AspNetMvc3-WithoutJsSdk.sln" sample which demonstrates the use of FormsAuthentication and Facebook OAuth.

how to logout after getting authenticated by single sign on provider?

I am trying to provide authentication facility through third party single sign on provider like rpxnow. After login on every refresh of page I am not able to retrieve the cookies set by the provider so that I can delete them when user desires to log out?
Is there any other way to gracefully logout the user without trying to search for cookies etc., or releasing the token provided by them after authentication?
I had a workaround. I stored the token retrieved from single sign on site and onclick of logout deleted the token. Every call handler for each page was initiated by checking for validating for token variable in session.