Add a new OnCheckSlidingExpiration event to control renewal #33016
Conversation
ghost
added
the
Tratcher
added
the
api-ready-for-review
|
Thank you for submitting this for API review. This will be reviewed by @dotnet/aspnet-api-review at the next meeting of the ASP.NET Core API Review group. Please ensure you take a look at the API review process documentation and ensure that:
|
| @@ -174,8 +182,6 @@ private async Task<AuthenticateResult> ReadCookieTicket() | |||
| return AuthenticateResult.Fail("Ticket expired"); | |||
| } | |||
|
|
|||
| CheckForRefresh(ticket); | |||
There was a problem hiding this comment.
I moved this to clarify that it's only relevant to Authenticate scenarios. SignIn and SignOut also call ReadCookieTicket, but only to populate the _sessionKey.
|
|
||
| // Don't renew on API endpoints that use JWT. | ||
| var authData = context.HttpContext.GetEndpoint()?.Metadata.GetMetadata<IAuthorizeData>(); | ||
| if (authData != null && string.Equals(authData.AuthenticationSchemes, "Bearer", StringComparison.Ordinal)) |
There was a problem hiding this comment.
You could consider moving this to auth samples instead of manual and adding a test for this scenario (always nicer to have coverage)
There was a problem hiding this comment.
I mainly wanted to show @brockallen that there were other patterns than matching request paths.
|
This looks great! I guess it will be shipped in .NET 6? |
Yes, this will be a 6.0 API. |
src/Security/Authentication/Cookies/src/CookieAuthenticationHandler.cs
Outdated
Show resolved
Hide resolved
src/Security/Authentication/Cookies/src/CookieSlidingExpirationContext.cs
Outdated
Show resolved
Hide resolved
src/Security/Authentication/Cookies/src/CookieAuthenticationEvents.cs
Outdated
Show resolved
Hide resolved
Tratcher
added
api-approved
Fixes #32269 @brockallen @Rinsen
Today an auth cookie is automatically renewed if it's more than 50% expired. We've had two complaints about this:
A) People want to set a different renewal interval, usually more frequent. Renewals can be forced today with OnValidatePrincipal, but not delayed or suppressed.
B) People want to suppress renewal for some types of request such as SPA apps that are pinging to check if their cookie is still valid.
This fix adds a new event
OnCheckSlidingExpirationthat allows people to override the default behavior to refresh more or less often. The default sliding expiration behavior remains the same. We opted not to modifyOnValidatePrincipalto avoid compat issues as well as conflicting events (Identity uses that one for SSO).Unrelated: Some sample fixup including using the new minimal host APIs.