Closed tonyeung closed 8 years ago
Due to this: https://github.com/IdentityModel/oidc-token-manager/issues/65
can you try with the new oidc-client?
will do. Looks like the API's been simplified, but I need to adjust my own workflow in order to update the client. I should have this done by noon tomorrow and i'll update the issue.
Yes, there was a lot of internal cleanup and the API is roughly the same, but names have changed. Also, check the dev branch in the ~/samples folder -- that's the best place to look.
Just so I'm clear where and what's not working: in your NG app you create the URL to signout, and then you set it on $window.location.href and the browser is not navigating? That's the issue?
not quite. I get to the idsvr logout page just fine. The problem is that once I logout of idsvr, it does not redirect back to my login page like I specified in the post_logout_redirect_uri settings.
But you see the link to return back to your app, yes? If not, then have you configured the PostLogoutRedirectUri in IdSvr for that client?
So then check the IdSvr logs and see if your client in IdSvr's PostLogoutRedirectUri matches the one you're sending exactly.
The url that idsvr gets is Url=https://oauth.domain.net/connect/endsession?post_logout_redirect_uri=https:%2F%2Fdomain.net%2Flogin&id_token_hint=very_long_string
could the URL encoding cause issues?
the client info:
2016-05-13 09:59:03,965 [15] INFO IdentityServer3.Core.Validation.EndSessionRequestValidator [(null)] - End session request validation success
{
"ClientId": "id",
"ClientName": "name",
"SubjectId": "RDuong@domain.com",
"PostLogOutUri": "https://domain.net/login",
"Raw": {
"post_logout_redirect_uri": "https://domain.net/login",
"id_token_hint": "very_long_string"
}
}
There are also these log lines:
2016-05-13 09:59:04,027 [33] INFO IdentityServer3.Core.Endpoints.AuthenticationController [(null)] - Logout prompt for subject: RDuong@domain.com
2016-05-13 09:59:04,059 [6] INFO IdentityServer3.Core.Endpoints.AuthenticationController [(null)] - SignOutMessage present (from client id) and RequireSignOutPrompt is false, performing logout
2016-05-13 09:59:04,074 [6] INFO IdentityServer3.Core.Endpoints.AuthenticationController [(null)] - Logout endpoint submitted
2016-05-13 09:59:04,074 [6] INFO IdentityServer3.Core.Endpoints.AuthenticationController [(null)] - Logout requested for subject: RDuong@domain.com
2016-05-13 09:59:04,074 [6] INFO IdentityServer3.Core.Endpoints.AuthenticationController [(null)] - Clearing cookies
2016-05-13 09:59:04,090 [6] INFO IdentityServer3.Core.Endpoints.AuthenticationController [(null)] - rendering logged out page
But your client called "id" in IdSvr -- do you have a PostLogoutRedirectUri
configured (like you had to configure a RedirectUri
)? Somewhat like this:
new Client
{
ClientName = "MVC OWIN Hybrid Client",
ClientId = "mvc.owin.hybrid",
Flow = Flows.Hybrid,
RedirectUris = new List<string>
{
"https://localhost:44300/"
},
PostLogoutRedirectUris = new List<string>
{
"https://localhost:44300/"
},
},
yes, they match what I set on the client, other than it being url encoded when idsvr receives it. The flow I have is an implicit flow, though. In case that matters.
Well, to be honest it looks like the oidc-client library is doing the right thing -- it's passing the id_token_hint and post_logout_redirect_uri. It seems more like something in IdSvr not honoring those params. And the logs aren't telling us enough.
I would step through the idsvr code myself but when I include the core project lots of things break. I'm sure its something I'm not setting right but I don't know how I'm supposed to troubleshoot without stepping through the debugger.
Yea, and I'd really not expect you to. I'll have to look thru our logging code to understand why we're not getting the info we need to diagnose this.
okay, thanks. If there's a post on how to step through the debugger I'd still like to try. I don't like to bug you guys unless i really have to.
Also, can you post more of the log file? I'm looking for something that starts around the message "Start end session request"
I don't think we have anything that shows how to debug. Most people just add IdSvr as a project and remove the nuget. Not sure why "lots of things break".
Sorry about the vagueness, its been a week or two since I last tried. I used to be able to debug it by doing what you just said, remove the nuget package and add idsvr as an external project. I think there were version conflicts or something this time around. Anyway, I'll try again and see what the exact errors are.
Regarding the log, I've included the entire log file from login to logout. https://gist.github.com/tonyeung/124d001a373f3baf0f05b8987d1beedb
If there are version conflicts, then just grab the tag from github based on the NuGet version you're using. That should solve that issue.
The logs look like everything is working properly. The only last thing I can guess is if you have a custom UI or view that's not rendering what it needs to.
nothing's been modified. I'll step through it and post the results later. I don't think i'll be able to get anywhere with it today, so probably monday or tuesday is when I'll update the issue. Thanks for your help and time.
selecting the tag allowed me to debug. I ran into another issue where I was missing the scope shared secret and some other client side issues so I haven't been able to investigate it yet. I should be able to by end of week though.
Closing, as oidc-client is replacing the user-manager.
I've read https://github.com/IdentityModel/oidc-token-manager/issues/59 and it doesn't seem to be the problem for me.
On my Options I have
EnablePostSignOutAutoRedirect = true
, on the client settings, the uri is in the list forRedirectUris
andPostLogoutRedirectUris
, on the oidcTokenManager i passWhile debugging the oidctokenmanager shows that an id_token_hint is passed along
What i'm doing is that
The logout method is also called from the logout button i have, and exhibits the same behavior if I log in and then log out right away, so whether the session is still valid or not doesn't matter.
The final page I end up on is
https://oauth.domain.net/logout
.The oidctokenmanager and idsvr3 is up to date with nuget. Not sure if I missed any information.