I'm using azure app service built in authentication to log in users to my web app. Since I have some pages that user can access without authentication I have allowed anonymous access in app service auth configuration.
It works as intended for the current session. But when the user closes the browser or opens a new window, the authentication is lost. The user is required to login again.
Is there any way to keep the user logged in?
What I do currently:
On sign in button click, direct the user to /.auth/login/microsoftaccount, after successful login I call ./auth/me to get the user claims/details and then login the user. Then I do a http post to https://appname.azurewebsites.net/.auth/login/microsoftaccount to validate the tokens that I got from /.auth/me and I also get a session token from this post request (which I don't know what to use for).
I use the custom headers set by the app service for authentication on the backend. App service auth docs
Is this the right way of doing authentication using app service. If so is there any way that we can keep the user logged in to app service auth and not ask them to sign every time they open the website.
Is there any way to cache the tokens?
It is normal that you need to login again after close your browser or open in a new window, because the life cycle of session is from opening the window to closing the window.
You could consider using cookie coordinating with session. Session is on server side, we cannot see it, but we could set the time out value. Cookie is on client side, we could save some authentication information to stay login, but it is not safe.