Redirect to wrong home page on Are you sure you want to log out? in open id

OrchardCMS / OrchardCore

Orchard Core is an open-source modular and multi-tenant application framework built with ASP.NET Core, and a content management system (CMS) built on top of that framework.

https://orchardcore.net

BSD 3-Clause "New" or "Revised" License

7.23k stars 2.34k forks source link

Redirect to wrong home page on Are you sure you want to log out? in open id #13089

Open vitalybrandes opened 1 year ago

vitalybrandes commented 1 year ago

Once you are trying to logout from SPA with template of Are you sure you want to log out?. If you click no, you are redirected to server URL home page instead of spa. In my case, server and UI running in different containers.

Expected behavior

If using openid redirect to app redirect url.

vitalybrandes commented 1 year ago

(https://github.com/OrchardCMS/OrchardCore/tree/main/src/OrchardCore.Modules/OrchardCore.OpenId/Controllers)/AccessController.cs

in LogoutDeny() - Line 385
need to be changed to

await HttpContext.SignOutAsync();

            // If no post_logout_redirect_uri was specified, redirect the user agent
            // to the root page, that should correspond to the home page in most cases.
            if (string.IsNullOrEmpty(request.PostLogoutRedirectUri))
            {
                return Redirect("~/");
            }

same behavior as in the LogoutAccept()

hishamco commented 1 year ago

@vitalybrandes can you submit a PR for it

gvkries commented 7 months ago

I've encountered this issue and would like to address it. One question, though: Is the OIDC server allowed to add a query parameter to the redirect URI to inform the relying party about the cancellation?

kevinchalet commented 3 weeks ago

If we want to make that configurable, the URI will need to be server-controlled (we can't use post_logout_redirect_uri for that).

@gvkries are you still interested in fixing that?