Closed karthik25 closed 6 years ago
Can you share a Fiddler trace file showing the signout flow?
@Tratcher Thanks for responding. Can I send the fiddler traces privately?
EDIT: I see your email address in your profile. Would it be okay to email the traces to that email address?
Yes
@Tratcher Just sent an email with the traces. Thank you!
I did try out the following too as a last resort earlier. Interestingly the callback was never invoked (locally and hence after deployment to our app service too).
OnSignedOutCallbackRedirect = r =>
{
r.Response.Redirect("http://www.somesite.com");
r.HandleResponse();
return Task.FromResult(0);
}
Even more interesting fact is that this does not happen in my development environment. That makes it more difficult to debug.
@Tratcher I was also wondering if the state query parameter passed to b2clogin.com had the redirect uri. post_logout_uri
is plain text, so that seems fine. Is it getting lost when its passed on to https://our-id-server/signout-callback-oidc?state=
?
Is there a utility where this state can be decoded? May be a naive question, I did not find one online and never had had to decode it until today!
No, it's encrypted. It's only readable as the AuthenticationProperties collection in your OIDC events.
@Tratcher Makes sense, I am adding more logging to see if I can figure out what's happening. While I am doing that I was wondering about the following:
OnSignedOutCallbackRedirect
never gets invoked? Since its a new event, google is not of much helpstate
parameter does not have the redirect uri populated?@Tratcher Yes, I tried hooking in to OnSignedOutCallbackRedirect for another provider that works fine and that did not get called either. I will have to see why. And regarding the 2nd question, I was hoping for something else apart from that since OnSignedOutCallbackRedirect is not getting invoked. But let me keep investigating. Let me leave the issue open until I know more. Thanks!
@Tratcher Okay, I still have no idea why the callback is not invoked. Also I am sure the redirect uri is set before the external sign out is initiated as shown below:
string url = Url.Action("Logout", new { logoutId = vm.LogoutId });
return SignOut(new Microsoft.AspNetCore.Authentication.AuthenticationProperties { RedirectUri = url }, vm.ExternalAuthenticationScheme);
I can see the redirect url in the log, its about 988 bytes. Is that causing issues may be? After this step the oauth/v2.0/logout
endpoint is called. So I am sure the state includes it. Wondering why signout-callback-oidc
does not include it.
I will keep investigating - I have a feeling its the length of the url. Identity server supports the ability to customize the logout id. I will try that out. Thanks!
@Tratcher Apparently for my other Open id providers, OnSignedOutCallbackRedirect
is being called. Not for B2C though. Also I tried a custom logout message store shortening the url from 988 bytes to less than 100 bytes, but still had the same issue.
I had one question (if you still have the traces I emailed). Earlier you said the the state passed to signout-callback-oidc
did not include the redirect url. I was wondering if the state passed to b2clogin.com
contained the redirect uri. Since before the sign out redirect I see the redirect url being included in AuthenticationProperties
.
I was not able to decode the contents of the state field, I only inferred the missing field from the code. Since you have multiple OIDC providers you'll want to give them different SignedOutCallbackPath values. Otherwise they will conflict and the first one registered will handle the requests. That would explain why your events are not getting called.
@Tratcher The callback gets called now! I am setting the SignedoutCallbackPath
for all of my open id providers now. Did not face any issue in .net core 1.1 where I only was setting the CallbackPath
. So this never occurred to me! I cannot thank you enough, really, was about to go mad. If at all you are in Baltimore beer is on me :)
I have an identity server which supports multiple open id providers one of which is B2C. After I upgraded the application from .net core 1.1 to .net core 2.1, the signout redirects have stopped working. The application reaches the
signout-callback-oidc
handler and stops there with an empty page with no information about what went wrong.The production instance that uses .Net 1.1 instance still works. I tried setting the signout url in the list of reply urls for the B2C application as suggested in one of the Q & A sites, but that did not help either. Can you please offer some pointers on how I could identify whats going on? Tried looking up for ways to hook up logging for
AddOpenIdConnect
, but did not find anything for that either.Sequence of urls traversed
.Net core 2.1 (Stops at signout-callback-oidc?state=<state> w/ a blank page)
.Net core 1.1 (Successful)
Open ID Setup for B2C