IdentityModel / oidc-token-manager

Apache License 2.0
51 stars 36 forks source link

redirectForLogout() ignores post_logout_redirect_uri on angularjs 1.x #63

Closed tonyeung closed 8 years ago

tonyeung commented 8 years ago

I've read https://github.com/IdentityModel/oidc-token-manager/issues/59 and it doesn't seem to be the problem for me.

On my Options I have EnablePostSignOutAutoRedirect = true, on the client settings, the uri is in the list for RedirectUris and PostLogoutRedirectUris, on the oidcTokenManager i pass

authority: 'https://oauth.domain.net/',
client_id: 'myId',
redirect_uri: 'https://domain.net/login',
response_type: 'id_token token',
scope: 'openid api',

post_logout_redirect_uri: 'https://domain.net/login',
silent_redirect_uri: 'https://domain.net/renew-token.html',
filter_protocol_claims: true, // remove OIDC specific claims
request_state_store: sessionStorage, // window.localStorage is default. Does not work well with multiple tabs open.
silent_renew: true

While debugging the oidctokenmanager shows that an id_token_hint is passed along

token hint

What i'm doing is that

The logout method is also called from the logout button i have, and exhibits the same behavior if I log in and then log out right away, so whether the session is still valid or not doesn't matter.

The final page I end up on is https://oauth.domain.net/logout.

logout page

The oidctokenmanager and idsvr3 is up to date with nuget. Not sure if I missed any information.

brockallen commented 8 years ago

Due to this: https://github.com/IdentityModel/oidc-token-manager/issues/65

can you try with the new oidc-client?

tonyeung commented 8 years ago

will do. Looks like the API's been simplified, but I need to adjust my own workflow in order to update the client. I should have this done by noon tomorrow and i'll update the issue.

brockallen commented 8 years ago

Yes, there was a lot of internal cleanup and the API is roughly the same, but names have changed. Also, check the dev branch in the ~/samples folder -- that's the best place to look.

tonyeung commented 8 years ago

Yea, I was using the frame before, so I had to change the logic to make the browser to go idsvr.

The good news is that everything is working again. The bad news is that its still not redirecting.

enter image description here

It still doesn't redirect.

brockallen commented 8 years ago

Just so I'm clear where and what's not working: in your NG app you create the URL to signout, and then you set it on $window.location.href and the browser is not navigating? That's the issue?

tonyeung commented 8 years ago

not quite. I get to the idsvr logout page just fine. The problem is that once I logout of idsvr, it does not redirect back to my login page like I specified in the post_logout_redirect_uri settings.

brockallen commented 8 years ago

But you see the link to return back to your app, yes? If not, then have you configured the PostLogoutRedirectUri in IdSvr for that client?

tonyeung commented 8 years ago

Nope.

enter image description here

brockallen commented 8 years ago

So then check the IdSvr logs and see if your client in IdSvr's PostLogoutRedirectUri matches the one you're sending exactly.

tonyeung commented 8 years ago

The url that idsvr gets is Url=https://oauth.domain.net/connect/endsession?post_logout_redirect_uri=https:%2F%2Fdomain.net%2Flogin&id_token_hint=very_long_string

could the URL encoding cause issues?

the client info:

2016-05-13 09:59:03,965 [15] INFO  IdentityServer3.Core.Validation.EndSessionRequestValidator [(null)] - End session request validation success
{
  "ClientId": "id",
  "ClientName": "name",
  "SubjectId": "RDuong@domain.com",
  "PostLogOutUri": "https://domain.net/login",
  "Raw": {
    "post_logout_redirect_uri": "https://domain.net/login",
    "id_token_hint": "very_long_string"
  }
}

There are also these log lines:

2016-05-13 09:59:04,027 [33] INFO  IdentityServer3.Core.Endpoints.AuthenticationController [(null)] - Logout prompt for subject: RDuong@domain.com
2016-05-13 09:59:04,059 [6] INFO  IdentityServer3.Core.Endpoints.AuthenticationController [(null)] - SignOutMessage present (from client id) and RequireSignOutPrompt is false, performing logout
2016-05-13 09:59:04,074 [6] INFO  IdentityServer3.Core.Endpoints.AuthenticationController [(null)] - Logout endpoint submitted
2016-05-13 09:59:04,074 [6] INFO  IdentityServer3.Core.Endpoints.AuthenticationController [(null)] - Logout requested for subject: RDuong@domain.com
2016-05-13 09:59:04,074 [6] INFO  IdentityServer3.Core.Endpoints.AuthenticationController [(null)] - Clearing cookies
2016-05-13 09:59:04,090 [6] INFO  IdentityServer3.Core.Endpoints.AuthenticationController [(null)] - rendering logged out page
brockallen commented 8 years ago

But your client called "id" in IdSvr -- do you have a PostLogoutRedirectUri configured (like you had to configure a RedirectUri)? Somewhat like this:

new Client
 {
             ClientName = "MVC OWIN Hybrid Client",
             ClientId = "mvc.owin.hybrid",
             Flow = Flows.Hybrid,

             RedirectUris = new List<string>
             {
                 "https://localhost:44300/"
             },

             PostLogoutRedirectUris = new List<string>
             {
                 "https://localhost:44300/"
             },

},
tonyeung commented 8 years ago

yes, they match what I set on the client, other than it being url encoded when idsvr receives it. The flow I have is an implicit flow, though. In case that matters.

brockallen commented 8 years ago

Well, to be honest it looks like the oidc-client library is doing the right thing -- it's passing the id_token_hint and post_logout_redirect_uri. It seems more like something in IdSvr not honoring those params. And the logs aren't telling us enough.

tonyeung commented 8 years ago

I would step through the idsvr code myself but when I include the core project lots of things break. I'm sure its something I'm not setting right but I don't know how I'm supposed to troubleshoot without stepping through the debugger.

brockallen commented 8 years ago

Yea, and I'd really not expect you to. I'll have to look thru our logging code to understand why we're not getting the info we need to diagnose this.

tonyeung commented 8 years ago

okay, thanks. If there's a post on how to step through the debugger I'd still like to try. I don't like to bug you guys unless i really have to.

brockallen commented 8 years ago

Also, can you post more of the log file? I'm looking for something that starts around the message "Start end session request"

brockallen commented 8 years ago

I don't think we have anything that shows how to debug. Most people just add IdSvr as a project and remove the nuget. Not sure why "lots of things break".

tonyeung commented 8 years ago

Sorry about the vagueness, its been a week or two since I last tried. I used to be able to debug it by doing what you just said, remove the nuget package and add idsvr as an external project. I think there were version conflicts or something this time around. Anyway, I'll try again and see what the exact errors are.

Regarding the log, I've included the entire log file from login to logout. https://gist.github.com/tonyeung/124d001a373f3baf0f05b8987d1beedb

brockallen commented 8 years ago

If there are version conflicts, then just grab the tag from github based on the NuGet version you're using. That should solve that issue.

brockallen commented 8 years ago

The logs look like everything is working properly. The only last thing I can guess is if you have a custom UI or view that's not rendering what it needs to.

tonyeung commented 8 years ago

nothing's been modified. I'll step through it and post the results later. I don't think i'll be able to get anywhere with it today, so probably monday or tuesday is when I'll update the issue. Thanks for your help and time.

tonyeung commented 8 years ago

selecting the tag allowed me to debug. I ran into another issue where I was missing the scope shared secret and some other client side issues so I haven't been able to investigate it yet. I should be able to by end of week though.

brockallen commented 8 years ago

Closing, as oidc-client is replacing the user-manager.