Closed victorguidant closed 3 weeks ago
Is there a version of the middleware that is recommended for .net 4.6.1/2 applications or is this no longer supported by Duende?
This is indeed a weird bug. My first guess is that there is some kind of response caching on the .NET Framework apps that causes the session cookie to be incorrectly set on the second computer.
Could you run the flow and use the browser development tools to see what cookies are set for User A and User B?
The Microsoft.Owin packages are still supported and is the recommended way to connect a .NET Framework application to IdentityServer.
Due to being sensitive, we are continuing this investigation through direct contact.
Which version of Duende IdentityServer are you using? 7.0.7
Which version of .NET are you using? 4.6.1 and 8 Describe the bug
We have a client configuration based on several url's for different apps (2 .net framework 4.6.1 and some other in .net 8). Older .NET framework apps have a different version of the OpenID package. Setup on Duende Identity uses EF persistent store.
.NET 4.x.x app, user logs in correctly, but if a user in a different computer access the same protected app URL in incognito or a browser that wasn't logged in yet, it doesn't ask the user to login, and redirects the user that was logged in before on a different computer.
.NET 8 apps doesn't store the grants in the database table, or they are added but removed almost immediately by identity server after redirected from the identity server to the client app.
To Reproduce
Expected behavior
User is prompted to login and not be able to access a session that was started by a different user in a different machine.
** Client config:
.NET 4.6.1 Open ID config:
.NET 8 Open ID config: