Skip to content
This repository has been archived by the owner on Mar 3, 2022. It is now read-only.

State returned as querystring parameter after signout in 1.4.0-beta.1 #425

Closed
shuppert opened this issue Sep 26, 2017 · 6 comments
Closed

State returned as querystring parameter after signout in 1.4.0-beta.1 #425

shuppert opened this issue Sep 26, 2017 · 6 comments
Labels
bug
Milestone
1.4.0

Comments

@shuppert
Copy link

In my Ionic application I'm seeing the state parameter used for signout returned when the post_logout_redirect_uri is called after signing out of IdentityServer3.

E.g. "http://localhost:8100/?state=b38291aa9a774e82992bdb88513d3036" is called when post_logout_redirect_uri is set to "http://localhost:8100". This behavior is new in 1.4.0-beta.1 and wasn't happening with 1.3.0.

Is this a bug or a new feature that can be disabled?

-Scott
@brockallen
Copy link
Member

brockallen commented Sep 26, 2017
edited

state should only get generated for the post_logout_redirect_uri if you passed state (or data) to the signout API. are you?

@shuppert
Copy link
Author

No, not specifically unless the TypeScript wrapper is doing something weird. I do see the state on the Logout screen and in the IdentityServer3 logs.

TS code:
var signoutRedirectPromise = this.userManager.signoutRedirect();

IdentityServer3 log:
2017-09-26 09:16:17,552 [37] (null) MYMACHINE INFO IdentityServer3.Core.Validation.EndSessionRequestValidator - End session request validation success
{
"ClientId": "js.tokenmanager",
"ClientName": "MyClient",
"SubjectId": "22a03a21-e538-4db7-93d6-63b5f7d924ac",
"PostLogOutUri": "http://localhost:8100/",
"State": "b38291aa9a774e82992bdb88513d3036",
"Raw": {
"id_token_hint": "eyJ0e...",
"post_logout_redirect_uri": "http://localhost:8100/",
"state": "b38291aa9a774e82992bdb88513d3036"
}
}

@shuppert
Copy link
Author

shuppert commented Sep 26, 2017
edited

This is the log with 1.3.0. Same client/TS code.

2017-09-23 13:20:21,702 [6] (null) MYMACHINE INFO IdentityServer3.Core.Validation.EndSessionRequestValidator - End session request validation success
{
"ClientId": "js.tokenmanager",
"ClientName": "MyClient",
"SubjectId": "22a03a21-e538-4db7-93d6-63b5f7d924ac",
"PostLogOutUri": "http://localhost:8100/",
"Raw": {
"id_token_hint": "eyJ0eXA...",
"post_logout_redirect_uri": "http://localhost:8100/"
}
}

@brockallen
Copy link
Member

Ah, I see where this is getting added -- it's in the UserManager. I think it was added for signOutPopup. I'll see if I can get it removed for normal redirects.

@brockallen brockallen added bug and removed question labels Sep 26, 2017
@brockallen brockallen added this to the 1.4.0 milestone Sep 26, 2017
@brockallen
Copy link
Member

Fixed. Can you test 1.4.0-beta.2 for me, please?

@shuppert
Copy link
Author

1.4.0-beta.2 resolves the issue and the logs look like they did in 1.3.0. Thanks @brockallen for the quick fix!

-Scott

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Milestone
1.4.0
Development

No branches or pull requests
2 participants
@brockallen @shuppert