Closed LeishaBurford closed 4 weeks ago
Can you please share an example of the full URL of the request to the end session endpoint? It should look something like https://idp.example.com/connect/endsession?post_logout_redirect_uri=https%3A%2F%2Fclient.example.com%2Fsignout-callback&state=xyz123
This URL has a state query string parameter twice. One of which is URL encoded.
It seems you're manipulating the URL directly with the state parameter causing that behavior. When setting the state please use the AuthenticatorProperties
object to set the state instead of appending it to the URL manually.
Thanks! I will try to find where we are setting state incorrectly and fix it :)
Great, good luck.
Which version of Duende IdentityServer are you using? version 6
Which version of .NET are you using?: dotnet 6
Failing to redirect to the
post_logout_redirect_uri
when the uri includes astate
query parameterWhen identity server receives an end session request with an allowed
post_logout_redirect_uri
and astate
query parameter, the warning "Invalid PostLogoutRedirectUri" is logged and thepost_logout_redirect_uri
is not included in the validated end session request.To Reproduce
Signout from an external provider with a
post_logout_redirect_uri
andstate
query parameter in the end session requestExpected behavior
The
post_logout_redirect_uri
should be treated as valid (assuming it is correctly configured as an allowed redirect) and the user should be redirected to the value of thepost_logout_redirect_uri
Additional context
It seems the code is checking the entire value of the post_logout_redirect_uri without removing the state query parameter.
i.e. The validator is checking if
https://server/sitename/foo?state=1234
is valid where I would like to see it checking ifhttps://server/sitename/foo
is validThe path through the code leading me to this theory:
Sending us to the following two methods:
Current workaround
I am currently working around this by removing the
state
query parameter from thepost_logout_redirect_uri
and sending the state in the protocol message in theOnRedirectToIdentityProviderForSignOut
event:Encountered this when configuring a legacy Identity Server 4 to federate with our Duende Identity Server 6