For example, say that you changed the delegated permissions that your app is requesting for accessing other APIs. The user consent already recorded doesn\u2019t reflect the new permissions you app needs, so (assuming you are using Azure AD v1) you need to ensure that the user has an opportunity to be prompted again for consent and approve the new permissions.
The way you let Azure AD you want to ignore any previously recorded consent and prompt the user anew is to sent prompt=consent <\/font>in your request to the authorization endpoint. You can add a new action in your controller to trigger the new consent flow, but if you simply call the usual
HttpContext.GetOwinContext().Authentication.Challenge
<\/font>you\u2019ll end up with whatever message results from the options you initialized you MW with; and you certainly don\u2019t want every sign in request to re-prompt every user for consent, all the time. What now?<\/p>\n
The solution is very simple:<\/p>\n
- \n
- Right before calling Challenge<\/font>, Place something in the OWIN context that signals your intention to ask for a brand new consent prompt<\/li>\n
- Implement the RedirectToIdentityProvider<\/font> notification. Use it to look for whatever you might have placed in the context in step 1 \u2013 and if you find it, modify the outgoing message to include prompt=consent<\/font><\/li>\n<\/ul>\n
Got it? now let\u2019s actually make it happen. Say that you have an ASP.NET app already hooked up via OIDC MW to Azure AD. If you app is based on the old Katana, you could write your renew consent action as in the following<\/p>\n
\n\n1:<\/span> public<\/span> void<\/span> RenewConsent()<\/pre>\n<\/p>\n
2:<\/span> {<\/pre>\n<\/p>\n
3:<\/span> HttpContext.GetOwinContext().Set(\"RenewConsent\"<\/span>, \"RenewConsent\"<\/span>);<\/pre>\n<\/p>\n
4:<\/span> HttpContext.GetOwinContext().Authentication.Challenge(new<\/span> AuthenticationProperties { RedirectUri = \"\/\"<\/span> },<\/pre>\n<\/p>\n
5:<\/span> OpenIdConnectAuthenticationDefaults.AuthenticationType);<\/pre>\n<\/p>\n
6:<\/span> }<\/pre>\n<\/div>\n<\/div>\n
I am using strings because they are nullable, and I am lazy.<\/p>\n
Your startup.auth.cs might init the MW as in the following:<\/p>\n
\n\n1:<\/span> app.UseOpenIdConnectAuthentication(<\/pre>\n<\/p>\n
2:<\/span> new<\/span> OpenIdConnectAuthenticationOptions<\/pre>\n<\/p>\n
3:<\/span> {<\/pre>\n<\/p>\n
4:<\/span> ClientId = clientId,<\/pre>\n<\/p>\n
5:<\/span> Authority = authority,<\/pre>\n<\/p>\n
6:<\/span> PostLogoutRedirectUri = postLogoutRedirectUri,<\/pre>\n<\/p>\n
7:<\/span> Notifications = new<\/span> OpenIdConnectAuthenticationNotifications<\/pre>\n<\/p>\n
8:<\/span> {<\/pre>\n<\/p>\n
9:<\/span> RedirectToIdentityProvider = OnRedirectToIdentityProvider,<\/pre>\n<\/p>\n
10:<\/span> <\/pre>\n<\/p>\n
11:<\/span> },<\/pre>\n<\/p>\n
12:<\/span> });<\/pre>\n<\/div>\n<\/div>\n
and your implementation of RedirectToIdentityProvider<\/font> might look like the following:<\/p>\n
\n\n1:<\/span> private<\/span> Task OnRedirectToIdentityProvider(RedirectToIdentityProviderNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)<\/pre>\n<\/p>\n
2:<\/span> {<\/pre>\n<\/p>\n
3:<\/span> var consent = notification.OwinContext.Get<string<\/span>>(\"RenewConsent\"<\/span>);<\/pre>\n<\/p>\n
4:<\/span> if<\/span> (consent==\"RenewConsent\"<\/span>)<\/pre>\n<\/p>\n
5:<\/span> {<\/pre>\n<\/p>\n
6:<\/span> notification.ProtocolMessage.Prompt = \"consent\"<\/span>; <\/pre>\n<\/p>\n
7:<\/span> }<\/pre>\n<\/p>\n
8:<\/span> return<\/span> Task.FromResult(0);<\/pre>\n<\/p>\n
9:<\/span> }<\/pre>\n<\/div>\n<\/div>\n
Go ahead, try to run your app and trigger the redirect to Azure AD via RenewConsent()<\/font> \u2013 with the Set<\/font> line active or commented out; you\u2019ll see that Azure AD obediently prompts the user for consent, or not, following your directives.<\/p>\n
Using Core in your app? Things are even simpler. Place your signal in the HttpContext<\/font> (as in HttpContext.Items[“RenewConsent”] = “RenewConsent”<\/font>) and fetch it in RedirectToIdentityProvider<\/font> event from the RedirectContext<\/font>, as in context.HttpContext.Items[“RenewConsent”]<\/font>.<\/p>\n
<\/p>\n
Easy, right? I\u2019ve been wanting to write this post for a long time, as this technique comes in handy in many occasions \u2013 the consent renewal is just one example, but there are plenty of other things you might want to tell Azure AD that are situation dependent and can\u2019t be baked in the initialization options (for example, think of this guy<\/a>). However I never found the time\/forgot until it came in handy again for some colleagues last week, so I finally got to it. Yay! Try it out, and hit me here<\/a> or on twitter<\/a> if there\u2019s anything unclear
![\"Smile\"](\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2017\/03\/wlEmoticon-smile.png\")
enjoy!<\/p>\n","protected":false},"excerpt":{"rendered":"Configuring the ASP.NET OWIN middleware (MW from now on) in your web app makes it super easy to sent your users to authenticate with Azure AD, as the MW takes care of manufacturing the right message for the Authorization endpoint from the options you provided at startup. However, there are many situations in…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3532","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/3532","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/comments?post=3532"}],"version-history":[{"count":1,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/3532\/revisions"}],"predecessor-version":[{"id":3533,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/3532\/revisions\/3533"}],"wp:attachment":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/media?parent=3532"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/categories?post=3532"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/tags?post=3532"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Implement the RedirectToIdentityProvider<\/font> notification. Use it to look for whatever you might have placed in the context in step 1 \u2013 and if you find it, modify the outgoing message to include prompt=consent<\/font><\/li>\n<\/ul>\n