Closed acmesoft-arg closed 11 months ago
You're correct, the lack of a sid is the reason why you don't have a logout url. We use the session id to protect the logout endpoint, since without it, an attacker could end sessions by making cross site GET requests to the logout endpoint. Since you don't have a sid, that csrf protection isn't active. Your application can logout by redirecting to the static ~/bff/logout path.
You could create your own csrf protection of the logout endpoint that works basically the same as the sid based protection works. You would need to:
One final note - there are a few other places where the BFF uses the sid claim, most notably server side session management. Server side sessions include their sid, and backchannel logout tokens can include a sid to identify which session to end. Just something to watch out for in the future.
Is anything further needed on this issue, or should we close it?
Closing, but feel free to reopen if necessary.
Version: Duende.BFF 2.1.1
Blazor WASM + ASP.NET Core Hosted .NET 7
Issue: No "bff:logout_url" is received from BFF The only one "bff:" claim received from BFF is: "bff:session_expires"
(as I seen no "sid" is received (check below user claims) and no documentation from AWS cognito is mention this data)
To reproduce it use AWS cognito User Pool as Identity Provider. The following code is in Program.cs (Server side)
Expected behavior
Receive the logout_url and manage logout.
No output / Error has received.
Additional data: This is the output from: