search

IdentityModel / IdentityModel.OidcClient

Certified C#/NetStandard OpenID Connect Client Library for native mobile/desktop Applications (RFC 8252)
Apache License 2.0
599 stars 175 forks source link

Is there a way to have OIDC Client not persist the login on the Duende Oauth server? #407

Closed JimWilcox3 closed 10 months ago

JimWilcox3 commented 10 months ago

Normally, persisting the login information is a good thing on a mobile device, but I have a situation where there might be more than one user on a device. The simple answer is to tell them to make sure they log out. This doesn't always happen. Is there a way to have the app login to the server and get the tokens, then log out of the server when it's done? Maybe something I can pass to the options?

Here is my login code:

  _options = new OidcClientOptions
  {
      Authority = vm.Config["Settings:Authority"],
      ClientId = vm.Config["Settings:ClientId"],
      Scope = vm.Config["Settings:Scope"],
      RedirectUri = vm.Config["Settings:RedirectUri"],
      PostLogoutRedirectUri = vm.Config["Settings:RedirectUri"],
      Browser = new ChromeCustomTabsBrowser(this)
  };

  var oidcClient = new OidcClient(_options);

  var result = await oidcClient.LoginAsync();

  if (result.IsError)
  {
      vm.Logger.LogError(result.Error);
  }
  else
  {
      vm.Tokens.AccessToken = result.AccessToken;
      vm.Tokens.IdentityToken = result.IdentityToken;
      vm.Tokens.RefreshToken = result.RefreshToken;
      vm.Tokens.AccessTokenExpiration = result.AccessTokenExpiration.DateTime.ToUniversalTime();
      vm.Tokens.Error = result.Error;

      vm.Logger.LogInformation("{0} logged in!", result.User.Identity.Name);
  }

Thanks, Jim

brockallen commented 10 months ago

For this client, you could always pass the "prompt" parameter when making the request to the authorize endpoint: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

JimWilcox3 commented 10 months ago

That worked. I stumbled through passing the parameter, but it seems to always ask for the user to login.

This is what I came up with:

  _options = new OidcClientOptions
  {
      Authority = vm.Config["Settings:Authority"],
      ClientId = vm.Config["Settings:ClientId"],
      Scope = vm.Config["Settings:Scope"],
      RedirectUri = vm.Config["Settings:RedirectUri"],
      PostLogoutRedirectUri = vm.Config["Settings:RedirectUri"],
      Browser = new ChromeCustomTabsBrowser(this)
  };

  var oidcClient = new OidcClient(_options);

  var parm = new Parameters
  {
      { "prompt", "login" }
  };

  var result = await oidcClient.LoginAsync(new LoginRequest { FrontChannelExtraParameters = parm });
brockallen commented 10 months ago

but it seems to always ask for the user to login.

That's exactly what that param/value combo is asking for. That was your requirement, yes?

JimWilcox3 commented 10 months ago

Yes sir. I didn't realize there was a way to have it always force a user to enter credentials. This was a better fix than what I was asking for. Thanks for the insight and solution.