Re-validating users when using OpenId Connect implicit flow

Question

I'm trying to understand how to make sure that a logged on user's account is still "valid" (where valid means for example not locked out, not deleted)

I've set up an identity provider using IdentityServer v3. On the "relying party"-side, I have an ASP.NET WebApi hosted using Owin. On the RP-side, I'm using UseOpenIdConnectAuthentication to install the OpenIdConnectAuthenticationMiddleware in the Owin pipeline.

What's working so far:

1. Any unauthenticated user visiting my web app is redirected to the login page on IdentityServer
2. The user logs on (I'm using the implicit flow)
3. The user is redirected back to my web app
4. My web app receives the JWT containing the id token and access token
5. My web app calls the user info endpoint to retrieve the claims using the access token
6. My web app creates a new ClaimsIdentity containing the claims my app is interested of. This is then persisted in a cookie, using:

    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = "Cookies",
        SlidingExpiration = true
    });

This works fine, but I want some kind of hourly validation that the user is still "valid" from the identity servers perspective.

Is there some standard pattern how I should re-validate that a user account is valid? I don't want to force the user to log on again, I just want to confirm that a user can't stay on forever even if his user account is deleted.

Answer 1

You can send the user to the Authorization Server again with an OpenID Connect authentication request but with the additional parameter prompt=none as documented in the spec: http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint If that returns successfully, the user is still logged in, else an error will be returned. The user will not be prompted in either case.