search

aspnet / AspNetKatana

Microsoft's OWIN implementation, the Katana project
Apache License 2.0
963 stars 332 forks source link

Logout by OpenID Connect auth provider is failed after HttpContext.Current.User reassigning #395

Closed SeminDM closed 3 years ago

SeminDM commented 3 years ago

Hello! I have asp.net application.

Startup.cs
public void Configuration(IAppBuilder app)
{
    ...
    OpenIdConnectAuthenticationOptions options = new ...
    options.Notifications.RedirectToIdentityProvider = BeforeRedirectToIdentityProviderAsync;
    app.UseOpenIdConnectAuthentication(options);

    AntiForgeryConfig.UniqueClaimTypeIdentifier = JwtRegisteredClaimNames.Email;
    ...
}

From OpenID Connect RP-Initiated Logout 1.0: _An id_token_hint carring an ID Token for the RP is also REQUIRED when requesting post-logout redirection; if it is not supplied with post_logout_redirecturi, the OP MUST NOT perform post-logout redirection.

For this reason BeforeRedirectToIdentityProviderAsync has been added.

private Task BeforeRedirectToIdentityProviderAsync(... redirectToIdentityProviderNotification)
{
    if (redirectToIdentityProviderNotification.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout && redirectToIdentityProviderNotification.OwinContext.Authentication.User.FindFirst("id_token") != null)
    {
        redirectToIdentityProviderNotification.ProtocolMessage.IdTokenHint = redirectToIdentityProviderNotification.OwinContext.Authentication.User.FindFirst("id_token").Value;
    }
    return Task.FromResult(result: false);
}

Also I have method Application_PostAuthenticateRequest which is called on every request

private void Application_PostAuthenticateRequest(object sender, EventArgs e)
{
    ...
    //var validToken= HttpContext.Current.GetOwinContext().Authentication.User.FindFirst("id_token");
    HttpContext.Current.User = new SessionPrincipal(userIdentity);
    //var emptyToken= HttpContext.Current.GetOwinContext().Authentication.User.FindFirst("id_token");
    ...
}

Class SessionPrincipal is widely used in application.

Login with external idp works correctly. But logout doesn't work beacouse after assigning HttpContext.Current.User environment of OwinContext (source) has User with only claim (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name) and in BeforeRedirectToIdentityProviderAsync id_token was not found.

  1. Why ClaimsIdentity in OwinContext has only one claim?
  2. Is possible to save all claims after HttpContext.Current.User reassigning?
  3. Why this claim has type "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" but not anyone from JwtRegisteredClaimNames?

Thank you!