0

How to configure refresh of auth-cookie, or log out user when cookie has expired?

Details:

We are using Azure SWA with an Azure functions app running on dotnet 8 isolated as the backend api with C#. We are using a custom identity provider targeting microsoft entra version 1, like https://learn.microsoft.com/en-us/azure/static-web-apps/authentication-custom?tabs=aad%2Cfunction#configure-a-custom-identity-provider

We are using Microsoft.Graph v5.61.0 to retreive the roles. There is a posibility that this version of Microsoft.Graph has a bug as this is where the user roles are retrieved.

We are provided with a client principal that we can use to get custom roles, however the user claim has an expiration time of 1h, and this does not seem to be respected anywhere. I.e nothing special happens after 1h. Reloading the page, closing the page etc does not renew the user claims.

Further, after the user has been active for a long period of time (we have tried 24h) the client principal returned does not include the custom roles. The user is not logged out or otherwise unathenticated, even though the auth cookie should expire after a few hours according to the similar issue on github: https://github.com/Azure/static-web-apps/issues/213 (scroll down to see that the issue changes through the thread)

It is important that the custom roles can be returned even after the user has been logged in for 24h, hopefully this can be achieved by refreshing the auth cookie. Otherwise it would be acceptable if the user was logged out when the cookie has expired. How can we configure this?

Improve this question
3
  • what type of azure function you are using? are you using c#, python, js Commented Dec 3, 2024 at 8:56
  • please share the framework details as well Commented Dec 3, 2024 at 9:10
  • I updated some details, please tell me if there is more information needed. Commented Dec 3, 2024 at 10:07

1 Answer 1

Reset to default
0

To refresh the authentication cookie, you need to log in again or log out and reauthenticate.

enter image description here

In general, the /auth/login/<PROVIDER> endpoint triggers reauthentication and generates a new token. The authentication token is set to expire after a defined period (e.g., 45 minutes for an hour-long token).

Azure Static Web Apps does not automatically log out users when the authentication cookie expires. To handle this, you can implement a mechanism to detect expiration and enforce logout on the frontend or backend.

I referred to these MSDOCs 1 and 2 to configure and add authentication in an Azure Static Web App.

Example: Use the following URL to log out: https://<YOUR_SITE>/.auth/logout/aad/callback

Alternatively, you can include login and logout like below

<a href="/.auth/login/aad">Login with Microsoft Entra ID</a>
<a href="/.auth/logout">Log out</a>
.
.
   async function getUserInfo() {
            const response = await fetch('/.auth/me');
            const user = await response.json();
            const pre = document.querySelector('pre');
            pre.textContent = JSON.stringify(user, null, 2);
        }
        getUserInfo();

In staticwebapp.config.json in addtion to Microsoft Entra add below routes

{
  "navigationFallback": {
    "rewrite": "/index.html",
    "exclude": ["/static/*", "/api/*"]
  },
  "responseOverrides": {
    "401": {
      "rewrite": "/unauthorized.html"
    },
    "404": {
      "rewrite": "/404.html"
    }
  },
  "routes": [
    {
      "route": "/api/*",
      "allowedRoles": ["authenticated", "Admin"]
    },
    {
      "route": "/admin/*",
      "allowedRoles": ["Admin"]
    },
    {
      "route": "/",
      "allowedRoles": ["anonymous"]
    },
    {
      "route": "/login",
      "redirect": "/.auth/login/github"
    },
    {
      "route": "/logout",
      "redirect": "/.auth/logout"
    },
    {
      "route": "/.auth/login/aad",
      "statusCode": 404
    },
    {
      "route": "/purge",
      "redirect": "/.auth/purge/github"
    }
  ]
}

Output with loginand logout

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.