How to "hook" into the Authorize method in mvc6

Question

In an asp.net5/mvc6 application I use Azure DocumentDB as a user store and authenticate users with CookieAuthentication like this:

List<Claim> claims = new List<Claim>();
claims.Add(new Claim(ClaimTypes.Name, account.UserName));
var user = new ClaimsPrincipal(new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme));
await _httpContextAccessor.HttpContext.Authentication.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, user);

I would like to persist the cookie so the user does not have to login every time. This is working correctly now. However when i was to delete a user the user will still have the cookie and thus access to the website.

I use for example on the controllers:

[Authorize("PolicyName")]

Policy configured like this:

services.Configure<AuthorizationOptions>(options => {
 options.AddPolicy("PolicyName", policy =>
    { /* configuration */ });
 });

There will be multiple policies so I'm looking for a central place to do the reauthentication. Is there a way to hook into the Authorize method?

Answer 1

In the cookie options there is a Events class. Within that is the OnValidatePrincipal event. If you override that it gets called every time cookie auth pulls in an identity.

Task ValidateAsync(CookieValidatePrincipalContext context);

Inside this function you can call context.RejectPrincipal() to invalidate the identity.

ASP.NET identity uses this. Identity has the concept of a security stamp. This is embedded as a claim inside the identity. When changes happen the security stamp is changed. A security stamp validator is wired up to OnValidatePrincipal which checks the membership database value and compares it to the database value.