Architecture - External provider revoking access

[GoldSloth]

We are replacing our existing identity system to support both local login and external providers (e.g. Microsoft SSO).
A key requirement for us is revocation of access, which we can achieve via IProfileService on our IdentityServer on our side. We would also like revocation of access to the external provider to trickle down to our applications too.

For example, if one of our clients needs to urgently revoke access to a Microsoft account, we would like our application to also revoked access soon after.

Our strategy to achieve this is to set the idsrv cookie to expire soon after they authenticate if they use an external provider, so the next time they get sent to IdentityServer they get sent along to Microsoft rather than re-authenticating with the local cookie. However, this approach means they need to re-enter their email address in the login form every time.

Our login page does home realm discovery by taking the username and showing either local login or redirecting to an external provider depending on the user record. One of our applications send the login_hint parameter and redirect to the correct login method accordingly, so don't require the user to re-enter their email address.

A few solutions we've thought of:

1. Issuing a cookie on the identity server with the last logged in username, and pre-fill this in the same way as login_hint to automatically direct them to the correct login. This would be cleared on a failed login attempt or logout, similar to 'Remember my username' feature on other sites.
2. Somehow capturing the user from the expired cookie, and using this value.

I would be interested if anyone has dealt with this scenario before and could share how they approached it. Is it common to send the user back to the external provider so frequently, or are we approaching this the wrong way? Thanks!

[maartenba]

That is a great question, and would be curious to see what others on the Duende Community think.