You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.
I believe this is the same issue as 3153 that was reported a couple of weeks ago. I am using this quickstart lhttps://github.com/IdentityServer/IdentityServer4.Samples/blob/master/Quickstarts/Combined_AspId_and_EFStorage/ and when you logout it is not also logging out of the client SPA. I believe the issue is that the link to logout on the quickstart does not include the logoutid. More detail below....
public async Task<IActionResult> Logout(string logoutId)
{
// build a model so the logout page knows what to display
var vm = await BuildLogoutViewModelAsync(logoutId);
if (vm.ShowLogoutPrompt == false)
{
// if the request for logout was properly authenticated from IdentityServer, then
// we don't need to show the prompt and can just log the user out directly.
return await Logout(vm);
}
return View(vm);
}
As a result vm.TriggerExternalSignout is false which means the extenal signout does not get called.
/// Handle logout page postback
/// </summary>
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Logout(LogoutInputModel model)
{
// build a model so the logged out page knows what to display
var vm = await BuildLoggedOutViewModelAsync(model.LogoutId);
if (User?.Identity.IsAuthenticated == true)
{
// delete local authentication cookie
await _signInManager.SignOutAsync();
// raise the logout event
await _events.RaiseAsync(new UserLogoutSuccessEvent(User.GetSubjectId(), User.GetDisplayName()));
}
// check if we need to trigger sign-out at an upstream identity provider
if (vm.TriggerExternalSignout)
{
// build a return URL so the upstream provider will redirect back
// to us after the user has logged out. this allows us to then
// complete our single sign-out processing.
string url = Url.Action("Logout", new { logoutId = vm.LogoutId });
// this triggers a redirect to the external provider for sign-out
return SignOut(new AuthenticationProperties { RedirectUri = url }, vm.ExternalAuthenticationScheme);
}
return View("LoggedOut", vm);
}
The text was updated successfully, but these errors were encountered:
Sorry, I got this completely wrong. This is not an issue. I was confusing the signing out of the provider which the client. As it happens my provider Amazon does not support this.
I should probably add a note in the documentation that most authorization providers do not allow third party applications to log them out. Google doesn't either.
I believe this is the same issue as 3153 that was reported a couple of weeks ago. I am using this quickstart lhttps://github.com/IdentityServer/IdentityServer4.Samples/blob/master/Quickstarts/Combined_AspId_and_EFStorage/ and when you logout it is not also logging out of the client SPA. I believe the issue is that the link to logout on the quickstart does not include the logoutid. More detail below....
Looks like the issue is that in the quickstarts layout https://github.com/IdentityServer/IdentityServer4.Samples/blob/master/Quickstarts/Combined_AspId_and_EFStorage/src/IdentityServer/Views/Shared/_Layout.cshtml
the link to the logout controller does not pass the logoutId argument
...which the AccountController expects
https://github.com/IdentityServer/IdentityServer4.Samples/blob/master/Quickstarts/Combined_AspId_and_EFStorage/src/IdentityServer/Quickstart/Account/AccountController.cs
As a result vm.TriggerExternalSignout is false which means the extenal signout does not get called.
The text was updated successfully, but these errors were encountered: