Reputation: 12575
Invalidating WsFederation authentication
I am using the OWIN WsFederation to authenticate users, I would like to grab a claim and perform an additional check to see if this unique user id is located in a database for access. If not I would like to redirect a user to a view that displays a message. I am subscribed to a notification "SecurityTokenValidated", in this notification I will grab the claim and check if the user exist. From my understand SecurityTokenValidated is called after the cookie has been created, so this may be too late.
How do I redirect the user to a view letting them know they don't have access?
app.UseWsFederationAuthentication(
new WsFederationAuthenticationOptions
{
Wtrealm = AppSettings.IdpRealm,
MetadataAddress = AppSettings.IdpMetadata,
Notifications = new WsFederationAuthenticationNotifications
{
// check and create additional claims
SecurityTokenValidated = notification =>
{
// identity object to access claims from IDP
var identity = notification.AuthenticationTicket.Identity;
// get claim and check database
return Task.FromResult<object>(null);
}
}
});
Upvotes: 1
Views: 446
Answers (1)
Reputation: 545
You can throw an exception to block the flow of the authentication. Something like this
throw new System.IdentityModel.Tokens.SecurityTokenValidationException();
On the exception handler, add a friendly message to the user.
Upvotes: 1
Related Questions
- ASP.NET OWIN OpenID Connect not creating user authentication
- Owin app with WsFederation authentication stuck in infinite redirect loop
- How does a client using Owin/Katana/OIDC use a Refresh Token?
- OpenID Connect obtain claims in MVC Session
- How to use cookie authentication with WsFederation authentication in OWIN app
- OWIN OpenID Connect Middleware Not Replacing Current User with ClaimsPrincipal