I have a Dot.Net 4.8 project that has currently migrated to using Owin for Authentication, but Session Timeouts don’t work any more.

This was working when the app used OpenIdConnect, but I can’t figure out how to replace (or rewrite) the OpenIdConnectAuthenticationNotifications part.

My old startup.cs file had the following code:

        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            CookieManager = new SystemWebCookieManager(),
            CookieHttpOnly = true,
            CookieSecure = CookieSecureOption.Always,
            ExpireTimeSpan = TimeSpan.FromSeconds(Convert.ToInt32(_authSessionTimeout)),
            SlidingExpiration = true
        });

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                // Sets the ClientId, authority, RedirectUri as obtained from web.config
                ClientId = _clientId,
                Authority = _authority,
                RedirectUri = _redirectUri,
                ClientSecret = _clientSecret,

                // Do not use the token lifetime; this setting overrides the expiration of the auth cookie.
                UseTokenLifetime = false,

                // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
                PostLogoutRedirectUri = _postLogoutRedirectUri,
                Scope = OpenIdConnectScope.OpenIdProfile,

                // ResponseType is set to request the code id_token - which contains basic information about the signed-in user
                ResponseType = OpenIdConnectResponseType.CodeIdToken,

                // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
                Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    AuthenticationFailed = OnAuthenticationFailed,
                    RedirectToIdentityProvider = ctx =>
                    {
                        // Prompt the user to login each time
                        ctx.ProtocolMessage.Prompt = "login";

                        // force re-authentication if the user hasn't logged in the last 15 minutes
                        ctx.ProtocolMessage.MaxAge = _authSessionTimeout;

                        return Task.FromResult(0);
                    }
                }
            }
        );

Meanwhile, the new code (which I didn’t write as I’m not well-versed on authentication code) looks like this:

        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            CookieManager = new Microsoft.Owin.Host.SystemWeb.SystemWebCookieManager(),
            CookieHttpOnly = true,
            CookieSecure = CookieSecureOption.Always,
            ExpireTimeSpan = TimeSpan.FromSeconds(Convert.ToInt32(_authSessionTimeout)),
            SlidingExpiration = true
        });


        // Get an TokenAcquirerFactory specialized for OWIN
        OwinTokenAcquirerFactory owinTokenAcquirerFactory = TokenAcquirerFactory.GetDefaultInstance<OwinTokenAcquirerFactory>();

        // Configure the web app.
        app.AddMicrosoftIdentityWebApp(owinTokenAcquirerFactory,
                                       updateOptions: options => { });

        // Add the services you need.

        owinTokenAcquirerFactory.Services
             .Configure<ConfidentialClientApplicationOptions>(options =>
             {
                 options.RedirectUri = _redirectUri;
                 options.TenantId = Tenant;
                 options.ClientSecret = _clientSecret;
                 options.ClientId = _clientId;

             })
            .AddMicrosoftGraph()
            .AddInMemoryTokenCaches();

        owinTokenAcquirerFactory.Build();

I’m sure the issue is the missing ‘Notification’ section, but I can’t figure out how to incorporate that in the new code.
Not sure I’m sharing enough info, but I’d appreciate any help or direction.