New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/signout-oidc endpoint on ASP.NET WebForms client #43
Comments
Katana does not implement |
@Tratcher : Thank you. I'm just curious why was signin-oidc was implemented but not signout-oidc? Also do I need an additional step for signouts on WebForms other than |
@deastr The sign-out standard was still being developed when Katana released. You primarily need to clear auth cookies and any Session contents. |
The Problem is that it is not possible to identity the current user, because the signout callback is done on an iframe. so the auth cookie will not be send reliable (only if 3rd Party Cookies are allowed, or the IdServer is in the trusted sites on IE). But with no Cookie, it is not possible to check if the signout request ist Valid. So how to do this? |
@DerAlbertCom If that's true then the spec itself is flawed. Do you have this problem in other browsers? |
@Tratcher yes, the openid spec is flawed in my opinion, for GET based sign outs. Maybe that's the reason that there is also a backchannel signout specified. Modern browser don't send 3rd party cookies to avoid tracking. So if the Identity Provider (like IdentityServer3/4) is running on a different Domain, and is trying to log out the client it is done via a simple iframe which calls the signout uri. No cookie is send in that case. In IE you can add the Identity Provider Uri to the trusted sites (possible in Company Environments) and in Firefox and Chrome you can allow 3rd Party Cookies. Then it works as expected. But as a developer I have no impact on that. |
@DerAlbertCom @Tratcher what kind of feedback are you looking for here? |
Yes, please |
@Tratcher done. |
The sid=5f5617803ca616c7cb247d2d30f178af parameter enables you to identify the user. Match the sid value with the "sid" claim in the ID Token that was sent at login time. That way, you can sign out only that user. Alternatively, some implementations ignore the "sid" and sign out all users upon receiving the front-channel logout message. |
@selfissued it is not possible to verify the user because no cookie get sent (on different domains then the OP) which allows to identify the user, login out regardless of the sid is a great possibility for a Denial of Service. @brentschmaltz the feedback i'm looking is a possibility to log the user securely logout. But this seems not possible with OpenId Connect Front Channel Logout. Sorry, i'm on vacation, so this answer took awhile |
I have an IdentityServer4 provider and I'm trying to connect an ASP.NET WebForms 4.5.2 client using OpenIdConnect 3.0.1. Everything works fine but I'm having a problem with
/signout-oidc
endpoints on the WebForms client: it doesn't seem to exist. I'm getting 404 error. Interestingly,/signin-oidc
does exist. I'm using same configuration for an ASP.NET Core client with the same OpenIdConnect 3.0.1 version and/signout-oidc
does work there. Am I doing something wrong?Here's the
/connect/endsession/callback
and/signout-oidc
log from logout process using Fiddler:The text was updated successfully, but these errors were encountered: