How to configure refresh of auth-cookie, or log out user when cookie has expired?
Details:
We are using Azure SWA with an Azure functions app running on dotnet 8 isolated as the backend api with C#. We are using a custom identity provider targeting microsoft entra version 1, like https://learn.microsoft.com/en-us/azure/static-web-apps/authentication-custom?tabs=aad%2Cfunction#configure-a-custom-identity-provider
We are using Microsoft.Graph v5.61.0 to retreive the roles. There is a posibility that this version of Microsoft.Graph has a bug as this is where the user roles are retrieved.
We are provided with a client principal that we can use to get custom roles, however the user claim has an expiration time of 1h, and this does not seem to be respected anywhere. I.e nothing special happens after 1h. Reloading the page, closing the page etc does not renew the user claims.
Further, after the user has been active for a long period of time (we have tried 24h) the client principal returned does not include the custom roles. The user is not logged out or otherwise unathenticated, even though the auth cookie should expire after a few hours according to the similar issue on github: https://github.com/Azure/static-web-apps/issues/213 (scroll down to see that the issue changes through the thread)
It is important that the custom roles can be returned even after the user has been logged in for 24h, hopefully this can be achieved by refreshing the auth cookie. Otherwise it would be acceptable if the user was logged out when the cookie has expired.
How can we configure this?
3
To refresh the authentication cookie, you need to log in again or log out and reauthenticate.
In general, the /auth/login/<PROVIDER> endpoint triggers reauthentication and generates a new token. The authentication token is set to expire after a defined period (e.g., 45 minutes for an hour-long token).
Azure Static Web Apps does not automatically log out users when the authentication cookie expires. To handle this, you can implement a mechanism to detect expiration and enforce logout on the frontend or backend.
I referred to these MSDOCs 1 and 2 to configure and add authentication in an Azure Static Web App.
Example:
Use the following URL to log out: https://<YOUR_SITE>/.auth/logout/aad/callback
Alternatively, you can include login and logout like below
<a href="/.auth/login/aad">Login with Microsoft Entra ID</a>
<a href="/.auth/logout">Log out</a>
.
.
async function getUserInfo() {
const response = await fetch('/.auth/me');
const user = await response.json();
const pre = document.querySelector('pre');
pre.textContent = JSON.stringify(user, null, 2);
}
getUserInfo();
In staticwebapp.config.json in addtion to Microsoft Entra add below routes
{
"navigationFallback": {
"rewrite": "/index.html",
"exclude": ["/static/*", "/api/*"]
},
"responseOverrides": {
"401": {
"rewrite": "/unauthorized.html"
},
"404": {
"rewrite": "/404.html"
}
},
"routes": [
{
"route": "/api/*",
"allowedRoles": ["authenticated", "Admin"]
},
{
"route": "/admin/*",
"allowedRoles": ["Admin"]
},
{
"route": "/",
"allowedRoles": ["anonymous"]
},
{
"route": "/login",
"redirect": "/.auth/login/github"
},
{
"route": "/logout",
"redirect": "/.auth/logout"
},
{
"route": "/.auth/login/aad",
"statusCode": 404
},
{
"route": "/purge",
"redirect": "/.auth/purge/github"
}
]
}