search

IdentityServer / IdentityServer4.WsFederation

Sample for implementing WS-Federation IdP support for IdentityServer4
Apache License 2.0
67 stars 53 forks source link

Missing support for PostLogoutRedirectUri #9

Closed pi3k14 closed 6 years ago

pi3k14 commented 6 years ago

As I understand it the redirect to connect/endsession in WsFederationController.ProcessSignOut() need parameters for id_token_hint and post_logout_redirect_uri to have IdentityServer4 make a final redirect to the client during logout. I don't understand how to create/get the id_token for getting this to work, any suggestions?

Or, do I have to create and register a custom EndSessionRequestValidator for this to work?

brockallen commented 6 years ago

You'd have to change how that signout work to use the IdentityServer logoutpage design. Perhaps look at how the OIDC end session code handles it now and replicate that (in a PR perhaps)?

pi3k14 commented 6 years ago

@brockallen - to be sure I understand what you are suggesting. Alter the WsFederationController.ProcessSignOut method to not redirect to "connect/endsession", but instead "move the code" from that into ProcessSignOut and replace the use of EndSessionRequestValidator with a new WsFederationSignoutRequestValidator?

Alternative - hack it with IdentityServerTools.IssueJwtAsync(3600, new List { new Claim(JwtClaimTypes.Audience, clientId) }) and send that as id_token_hint?

iyhammad commented 6 years ago

Hi @pi3k14 Did you complete this scenario?

pi3k14 commented 6 years ago

@iyhammad for now we are using the "alternative" version. Injecting IdentityServerTools into WsFederationController

and alter the ProcessSignOut method to include var hint = await _tools.IssueJwtAsync(3600, new List<Claim> { new Claim(JwtClaimTypes.Audience, realm) }); url = Url.Action("endsession", "connect", new { id_token_hint = hint, post_logout_redirect_uri = reply }); In our case we get the realm from SignOutRequestMessage and does a validation against Request.Headers["Referer"], in addition there should be a check against _userSession.GetClientListAsync();

But we haven't drawn up a general solution (yet).

iyhammad commented 6 years ago

I tried this but I got these errors in the log

DEBUG 2018-08-01 11:17:18,339 [7    ] tityServer4.Endpoints.EndSessionEndpoint - Processing signout request for 2
DEBUG 2018-08-01 11:17:18,346 [7    ] r4.Validation.EndSessionRequestValidator - Start end session request validation
DEBUG 2018-08-01 11:17:18,353 [7    ] dentityServer4.Validation.TokenValidator - Start identity token validation
ERROR 2018-08-01 11:17:18,371 [7    ] dentityServer4.Validation.TokenValidator - No clientId supplied, can't find id in identity token.
INFO  2018-08-01 11:17:18,378 [7    ] r4.Validation.EndSessionRequestValidator - End session request validation failure: Error validating id token hint
{
  "SubjectId": "unknown",
  "Raw": {
    "id_token_hint": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjRDQThEMkJEQTMxOEIyN0IxNDVCRDAzMTY2NjQ5QUFBNkE1QTZFN0MiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJUS2pTdmFNWXNuc1VXOUF4Wm1TYXFtcGFibncifQ.eyJuYmYiOjE1MzMxMjIyMzgsImV4cCI6MTUzMzEyNTgzOCwiaXNzIjoiaHR0cDovL2tpdGRldnNwMjAxMzAxOjEyMzQ0IiwiSWRlbnRpdHlTZXJ2ZXIiOiJ1cm46c2hhcmVwb2ludCIsImNsaWVudGlkIjoidXJuOnNoYXJlcG9pbnQifQ.fm-A5jaHOI3YI29wlWSNo197Jcpdlf_71xp89edlka8CD_t3Jz10czJzeSMw2iMyZO5U-Lf_xOBM59q8k5S22vS9ww_BNW90_RrPL0O3fluG1kn_aOKxweWloK7Q5b3aqRGcWAnX0TE60m7CxMDXRrseGu9gUTg68PACK_r0ofXleUOLYxLXbdLCxg8ioSNSGkaZtGBQS8QAuisDMIbeB5q13BYl-B0-Lw1KYI8ABUZTGomwr59LpJUmW41TrG8WaXb8n1hzbBabttiLtRgnksyPiLsTyEyCgZQ9syyYAVc7l2THohBjrDWfET3gwqIuZu6i63Fh7bRSeJHIVLow48rRmtJrZTcGScmEPppjtMxefoSBsN3K6SCZ3U7jbIgkmDVGBWfDQkuG4Vfyk5q1LHNtqjLFf_JXsif88fWYxzOrtZIfzqGM2e48Jp4A4ijteWcirtdHZPyZ70vIaoybJxo0o9sACIuakB5Vnw10Rqk7ORRvk3J5AFv5bkKCooN9ZMVpNff9BnIAQwFlWkuDuFiQtUDpdZdUNzknRHuhsXELGJEI0luDuE17lpp-tulOFra8B_LGZU1gXdEp5IghW5X4vTCK9ek-4A--X1E48O9in4m0RtoPaY3MjDYGMbwtps6FkjmoZda_RqJUXKWRkJgEB_PTFFaxUX7ocJ30jEM",
    "post_logout_redirect_uri": "http://kitdevsp201301"
  }
}
ERROR 2018-08-01 11:17:18,380 [7    ] tityServer4.Endpoints.EndSessionEndpoint - Error processing end session request Invalid request
INFO  2018-08-01 11:17:18,386 [7    ] soft.AspNetCore.Hosting.Internal.WebHost - Request finished in 73.6363ms 302

and logoutId is not being sent to the Controller/Logout after the endsession. Did you face this before?

pi3k14 commented 6 years ago

@iyhammad - and you included Audience in the hint? Because from Idsrv4 code, that is what is causing this failure TokenValidator

iyhammad commented 6 years ago

@pi3k14 Thank you very much. I was adding it but in a wrong way.

RemcoBlok commented 5 years ago

Hi The suggested solution to pass an id_token_hint from the WsfederationController with the wtrealm does not work when using IdentityServer as a claims provider in ADFS 2016. ADFS 2016 does not pass the wtrealm parameter to the claims provider on signout. I went back to my IdentityServer 3 claims provider in ADFS 2016 and this one handles the signout ok without the wtrealm parameter. Why does IdentityServer 4 require this? Is there another way to generate the id_token_hint? Perhaps with the suggested WsFederationSignoutRequestValidator? Will it be able to generate the id_token_hint without the wtrealm parameter? thanks Remco