search

IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana
https://identityserver.github.io/Documentation/
Apache License 2.0
2.01k stars 764 forks source link

External IDP Post Logout Redirect gets stuck #2743

Open strtdusty opened 8 years ago

strtdusty commented 8 years ago

This is somewhat related to issue 2657 but not completely. I believe once that issue is resolved they will move on to this issue.

When logging out of a federated provider (AAD for me) you do not get redirected to the PostRedirectLogoutUri requested. You end up stopped on the ID3 logout view with no text or link to the redirect (those sections of the view model are null). Tracing it back, I am blaming the problem on prematurely removing the Signout Message Cookie.

1. The client application requests a logout by posting a request to the IS3 /endsession passing the redirect uri and the token hint.  
   The Signout Message Cookie is created and the browser is redirected to /logout
2. AuthenticationController.Logout(id) is called.  Internally IDS calls QueueRemovalOfSignOutMessageCookie().  
   The method completes and raises the logged out event.
3. The LoggedOutViewModel is constructed, but not actually used because we have not hit our callback and called RenderLoggedOutViewAsync
4. The Signout Message Cookie is deleted. :(
5. The user is redirected to the external provider's logout page.  
   The redirect passed here is to our callback (/signoutcallback).  
   We pull the signout message ID from a temporary cookie and call RenderLoggedOutViewAsync with that state.
6. AuthenticationController.Logout(id) is called a second time.  
   However, when reading the Signout Message Cookie nothing is found because it was deleted the first time through.  
   The logout view is rendered with a partial view model that does not contain any of the state from the Signout Message Cookie

My proposed solution is to protect the removal of the signout message cookie by changing the Logout method to only call it when it is actually time to render the logout view:

if (context.ShouldRenderLoggedOutPage()) { context.QueueRemovalOfSignOutMessageCookie(id); }

If this makes sense, I would be happy to create a fork/PR for review.

brockallen commented 8 years ago

The Signout Message Cookie is deleted

This only happens if the response status code is 200, so if you get redirected back to the IdP then the cookie is not removed. Am I missing something?

strtdusty commented 8 years ago

It is entirely possible that I am missing something. The cookie is removed before redirecting to the IdP. So when you come back from the IdP there is no context/view model.

brockallen commented 8 years ago

Ok, I can see if I can repro.

strtdusty commented 8 years ago

@brockallen I have a repo project available at https://github.com/strtdusty/IS3PostLogoutRedirectExample/

strtdusty commented 8 years ago

Did the repo project work for you?

brockallen commented 8 years ago

I did not yet look at it.

AliBazzi commented 7 years ago

I think I have the same issue here

brockallen commented 6 years ago

I never looked into this, but I'll change it to a bug report. The real issue here is that we don't plan on any more enhancement to this project.