Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redirecting back to client application after logging out from the external identity provider #1404

Closed
okhara opened this issue May 2, 2023 · 5 comments
Closed

Redirecting back to client application after logging out from the external identity provider #1404

okhara opened this issue May 2, 2023 · 5 comments
Assignees
@josephdecock
Labels
bug Something isn't working
Milestone
7.0.0

Comments

@okhara
Copy link
Contributor

okhara commented May 2, 2023
edited
Loading

Identity server version 6.2.3
.NET version 6.0

Redirecting back to client application after logging out from the external identity provider

User is not redirected back to the client application from external identity provider, when identity server is configured for asp.net identity.
For example, if we use one of the quickstart projects from duende samples and add oidc identity provider (we can use one of the clients from https://demo.duendesoftware.com/) we will be able to login through the identity provider successfully, but when we try to logout, process will go through logout to the identity provider and will not redirect back to the identity server and to the client application.

To Reproduce

  1. Configure web application as client and identity server for asp.net identity (.AddAspNetIdentity<ApplicationUser>()).
  2. Add oidc identity provider (.AddInMemoryOidcProviders).
  3. Log into the client application through identity server using external identity provider configured in the second step.
  4. Log out from the client application.

Expected behavior

User is logged out from client application, identity server and external identity provider, after which user is redirected back to client application.

Actual behavior

User is not redirected back to the client application.

Solution

Link to PR
After some debugging of the duende and Microsoft sources, I've discovered that the reason for the redirection problem is the absence of id token. SignOutScheme which is used to retrieve id token from the user is set to default value, but default authentication scheme after configuring identity server for asp.net identity is changed to Identity.Application.
@okhara okhara mentioned this issue May 2, 2023
Merged
@josephdecock
Copy link
Member

Thanks for opening this issue. We'll take a look soon!

@brockallen
Copy link
Member

This should work from our quickstart samples. Have you tested those? Or have you finally sorted out the issue?

@brockallen brockallen added question Further information is requested and removed investigating labels Jun 29, 2023
@okhara
Copy link
Contributor Author

okhara commented Jun 29, 2023

I have tested it out. The quickstart project which is configured with asp.net identity doesn't work as expected.

Link to the specific quickstart

When I use quickstart linked above, and configure dynamic providers for it (for example using duende's demo identity server as dynamic provider) user is not redirected from external provider back to identity server and back to the client application.

The reason for not being redirected is the absence of id_token_hint from the end session request to the external provider. As the id_toke_hint is absent, external identity provider doesn't redirect to post_logout_redirect_uri. Which is perfectly understandable based on OpenID Connect specs.

The reason of absent id_token_hint is configuring duende with asp.net identity, i.e. calling .AddAspNetIdentity() extension method.

When configuring asp.net identity Microsoft.AspNetCore.Authentication.AuthenticationOptions.DefaultAuthenticateScheme is set to Identity.Application. But the Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.SignOutScheme is set to Duende.IdentityServer.Configuration.IdentityServerOptions.DynamicProviders.SignOutScheme (Link to the OidcConfigureOptions) value of which is idsrv. Which causes the authentication and logout process to use different schemes (Identity.Application and idsrv).

Solution provided by me suggests one of the method for fixing this issue, with setting SignOutScheme of DynamicProviderOptions to the Microsoft.AspNetCore.Authentication.AuthenticationOptions.DefaultAuthenticateScheme.

@josephdecock josephdecock self-assigned this Jul 11, 2023
@josephdecock
Copy link
Member

Thanks again for this bug report @ivan-sedlak-visma. I've now managed to reproduce this problem and we're reviewing your PR. In the short term, I believe you can work around this issue with configuration like this:

        builder.Services
            .AddIdentityServer(options =>
            {
                options.DynamicProviders.SignOutScheme = IdentityConstants.ApplicationScheme;

                // rest omitted...
            });

But we do agree that it would be better if the two features understood each other and no manual configuration was necessary.

@AndersAbel AndersAbel added bug Something isn't working and removed question Further information is requested investigating labels Aug 8, 2023
@josephdecock josephdecock transferred this issue from DuendeSoftware/Support Aug 31, 2023
@brockallen brockallen added this to the 7.0.0 milestone Sep 18, 2023
@josephdecock
Copy link
Member

This was resolved in #1265

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@josephdecock josephdecock

Labels
bug Something isn't working
Projects
None yet
Milestone
7.0.0
Development

No branches or pull requests
4 participants
@brockallen @josephdecock @AndersAbel @okhara