Closed qq1176914912 closed 6 months ago
I noticed two problems and both are fixed in the master
branch:
Can you fetch the latest changes from the master and try again
I noticed two problems and both are fixed in the
master
branch:
- When the session expires, clients are not notified. I added a Hangfire job to automatically notify clients when the session expires.
- If the client does not have a Back Channel Logout Redirect URL and the session expires, clicking on the 'Disconnect' button redirects the end-user to the Login page instead of the client.
Can you fetch the latest changes from the master and try again
I have tested your new version and it still has issues. Firstly, I am still using the same project:“ https://github.com/duendesoftware/samples/tree/main/identityserver/v7/sessionmanagement/backchannelclient ”, Existing problems
When the session expires, the project has not been logged out and clicking logout will not be able to log out. 'Secure' again will still display the previous login information,After testing, it was found that regardless of whether the Backchannel logout URL is configured or not, it cannot be exited
The 'Backchannel logout URL' function is no longer working. Whether it is rejecting at session or exiting the account on 5001, the 'Backchannel logout URL' cannot receive messages and causes the client to exit
problem
You can see that when the backchannelclient project is successfully logged in, there is a 'Refresh token' button, and the address of this method is:
If it's your project, how can I request a 'Refresh token'
recommendation Regarding session expiration, it is recommended that you add an option to set the session expiration time so that when testing, you can manually change the expiration time without restarting the project.
I have tested the BackChannelClient
, and everything is functioning correctly with the latest changes made on the master
branch.
Could you please check the following points:
LogoutController
class ?Replace the following code:
var disco = await client.GetDiscoveryDocumentAsync("https://localhost:5001");
With
var disco = await client.GetDiscoveryDocumentAsync("https://localhost:5001/master");
mvc.backchannel.sample
has the Refresh Token
grant-type.https://localhost:5001/connect/token
with https://localhost:5001/master/token
.The session's lifetime can be updated in the client view.
Navigate to the Advanced Tab
and update the Token Expiration time field.
I have tested the
BackChannelClient
, and everything is functioning correctly with the latest changes made on themaster
branch.Could you please check the following points:
- Have you updated the discovery URL in the
LogoutController
class ?Replace the following code:
var disco = await client.GetDiscoveryDocumentAsync("https://localhost:5001");
With
var disco = await client.GetDiscoveryDocumentAsync("https://localhost:5001/master");
- In the administration website, verify whether the client
mvc.backchannel.sample
has theRefresh Token
grant-type.
- Replace the URL
https://localhost:5001/connect/token
withhttps://localhost:5001/master/token
.The session's lifetime can be updated in the client view. Navigate to the
Advanced Tab
and update the Token Expiration time field.
After my testing, it still doesn't work.
This is the configuration of my client:
I added a sentence in the client logout interface:
When I rejected the session on 5002, the logout interface did not output
Enter exit logic
, which proves that he did not receive the message.
Then I will use the project you previously submitted in "Dec 2, 2023" and the same database as the latest project. The old project will successfully notify the "Backchannel logout URL" and output "Enter exit logic".
So where did the problem occur? Before you fix this problem: https://github.com/simpleidserver/SimpleIdServer/issues/648#issue-2027733047 , it can still be used normally
And I also found that the 5001 project keeps prompting this error. I found that this is the address of one of my clients, and the problem is that I am not using this client. Why does he keep prompting this error.
There is still an issue, because if at least one client in the session is not online, then the IdServer cannot call the endpoint Back Channel Logout URL
to invalidate the session.
This issue is now fixed in the master
branch.
There is still an issue, because if at least one client in the session is not online, then the IdServer cannot call the endpoint
Back Channel Logout URL
to invalidate the session.This issue is now fixed in the
master
branch.
Are you sure you have fixed it? I downloaded the updated version of 'Dec 12, 2023' from your 'master', but it still has an issue and the 'Backchannel logout URL' is still not effective. Whether it is rejecting the session on 5002 or logging out on 5001, the client has not been notified.
If there is indeed no problem with the Backchannel logout URL from your end, if it is convenient for you, this is my SQL file (please remove the. txt at the end). I am not sure if it is a problem with my configuration, and I really don't know where the problem is. __EFMigrationsHistory.sql.txt
Can-you stop the application, execute this SQL Instruction and try again ?
UPDATE public."UserSession" SET "IsClientsNotified" = true
Can-you stop the application, execute this SQL Instruction and try again ?
UPDATE public."UserSession" SET "IsClientsNotified" = true
Following your instructions, everything is now working. Thank you for your patient assistance. Can you add a reject all button on the session page? If there are too many clients logged in to this account, it may be troublesome to kick them out one by one.I tried to add it myself before, rejecting all operations at the interface where you reject a single session. However, due to your recent changes in the logic of rejecting a single session, I don't know how to change it.
There is another question. I want to release the project to someone else who doesn't have a database installed on their computer, but I want them to use the things in my database. I know I can put my SQL file in the project to ensure that they are using the content of my database, but how to read this SQL file is a problem, just like the MDF file mentioned on Microsoft's official website: https://learn.microsoft.com/zh-cn/visualstudio/data-tools/add-new-connections?view=vs-2022
What I want to ask is, if I need to modify your project if I use MDF to read the database.
To utilize the MDF file in the IdServer solution, follow these steps:
SimpleIdServer.IdServer.Startup
project.appsettings.json
file.DistributedCacheConfiguration.Type
and StorageConfiguration.Type
to SQLSERVER
.DistributedCacheConfiguration.ConnectionString
and StorageConfiguration.ConnectionString
to Data Source=(LocalDB)\\MSSQLLocalDB;AttachDbFilename=<MDF_FILE_PATH>;Integrated Security=True;Connect Timeout=30
. Be sure to replace the MDF_FILE_PATH
variable with the full path of the MDF File.By the way, I made some modifications in the master
branch to revoke all sessions of a user :)
To utilize the MDF file in the IdServer solution, follow these steps:
- Download the MDF file and place it in the
SimpleIdServer.IdServer.Startup
project.- Edit the
appsettings.json
file.- Set the properties
DistributedCacheConfiguration.Type
andStorageConfiguration.Type
toSQLSERVER
.- Set the properties
DistributedCacheConfiguration.ConnectionString
andStorageConfiguration.ConnectionString
toData Source=(LocalDB)\\MSSQLLocalDB;AttachDbFilename=<MDF_FILE_PATH>;Integrated Security=True;Connect Timeout=30
. Be sure to replace theMDF_FILE_PATH
variable with the full path of the MDF File.By the way, I made some modifications in the
master
branch to revoke all sessions of a user :)
Thank you, I found a way to configure sqlite in my previous questions:
https://github.com/simpleidserver/SimpleIdServer/issues/611#issuecomment-1798541019
Because I am using a PostgreSQL database, I do not have an MDF file, so I would like to try sqlite .I see in your source code that it is written as follows:
Regarding the parameters of MigrationsAssembly, I see that all the parameters here correspond to a class library in your project:
If I want to use sqlite , should I also create a similar class library?I think sqlite is very suitable for demonstration projects because you don't need to connect to a remote database and can also use pre configured database data.
This is my configuration file:
Why does this error appear after the project starts when I use the SQLSERVER database:
The connection address I configured did not mention IdServer, which is why.
Have you updated the "Backchannel logout"? I have found that even if Advanced>Token signature algorithm is not configured as rs256 in the client, the issue mentioned in this question will not occur now:https://github.com/simpleidserver/SimpleIdServer/issues/632#issuecomment-1818402839
SQL Exception:
There is an issue in the Program.cs
file. Can you please replace the SQL query ALTER DATABASE IdServer SET ALLOW_SNAPSHOT_ISOLATION ON
with ALTER DATABASE CURRENT SET ALLOW_SNAPSHOT_ISOLATION ON
?
Token Signature Algorithm:
If the algorithm for the token signature is not set for the client, then the property DefaultTokenSignedResponseAlg
from IdServerHostOptions
class will be used.
SQLITE :
To configure SQLite, please follow the steps below:
SimpleIdServer.IdServer.SqliteMigrations
and install the Nuget package dotnet add package Microsoft.EntityFrameworkCore.Sqlite
.StorageConfiguration
file and add SQLITE
to the StorageTypes
enumeration.Program.cs
file and add the following instruction in the ConfigureStorage
method.case StorageTypes.SQLITE:
b.UseSqlite(conf.ConnectionString, o =>
{
o.MigrationsAssembly("SimpleIdServer.IdServer.SqliteMigrations");
o.UseQuerySplittingBehavior(QuerySplittingBehavior.SplitQuery);
});
break;
StorageConfiguration.Type
to SQLITE.dotnet ef migrations add Init --project ../SimpleIdServer.IdServer.SqliteMigrations
SQL Exception:
There is an issue in the
Program.cs
file. Can you please replace the SQL queryALTER DATABASE IdServer SET ALLOW_SNAPSHOT_ISOLATION ON
withALTER DATABASE CURRENT SET ALLOW_SNAPSHOT_ISOLATION ON
?Token Signature Algorithm:
If the algorithm for the token signature is not set for the client, then the property
DefaultTokenSignedResponseAlg
fromIdServerHostOptions
class will be used.SQLITE :
To configure SQLite, please follow the steps below:
- Create a new project with the name
SimpleIdServer.IdServer.SqliteMigrations
and install the Nuget packagedotnet add package Microsoft.EntityFrameworkCore.Sqlite
.- Add a reference to this new project.
- Edit the
StorageConfiguration
file and addSQLITE
to theStorageTypes
enumeration.- Edit the
Program.cs
file and add the following instruction in theConfigureStorage
method.case StorageTypes.SQLITE: b.UseSqlite(conf.ConnectionString, o => { o.MigrationsAssembly("SimpleIdServer.IdServer.SqliteMigrations"); o.UseQuerySplittingBehavior(QuerySplittingBehavior.SplitQuery); }); break;
- Edit the appsettings.json and set the property
StorageConfiguration.Type
to SQLITE.- Finally, execute the following command line to create the migration scripts:
dotnet ef migrations add Init --project ../SimpleIdServer.IdServer.SqliteMigrations
SQL Exception:
Yes, according to what you said, changing the content in Program.cs will prevent this error. Are you considering changing this content in your project. SQLITE :
Yes, according to what you said, you can use the SQLITE database, but it is not complete enough. I will write down the complete process at the end for beginners like me to use. new problems:
I found that when I log in to a new client, if I click "reject" on the authorization page, an error message will appear:
The following is the process I completed using the sqlite database:
1、Start by creating a new class library project named "SimpleIdServer.IdServer.SqliteMigrations" under the Migrations directory.
2、Create the class library project, and it is recommended to place the library in the src\IdServer\ directory.
3、Install the NuGet package "Microsoft.EntityFrameworkCore.Sqlite" for the new library, and make sure to use version 7. If you install the latest version 8, it may result in compatibility errors, preventing the successful installation of the package.
4、Add a reference to the "SimpleIdServer.IdServer.Store" project for the new library.
5、In the "SimpleIdServer.IdServer.Startup" project, add a reference to the newly created library project.
6、In the 'StorageConfiguration.cs' file of the "SimpleIdServer.IdServer.Startup" project, add "SQLITE."
7、In the "Program.cs" file of the "SimpleIdServer.IdServer.Startup" project, within the "ConfigureStorage" method, add the following content:
case StorageTypes.SQLITE: b.UseSqlite(conf.ConnectionString, o => { o.MigrationsAssembly("SimpleIdServer.IdServer.SqliteMigrations"); o.UseQuerySplittingBehavior(QuerySplittingBehavior.SplitQuery); }); break;
8、Modify the "appsettings.json" file in the "SimpleIdServer.IdServer.Startup" project under "StorageConfiguration" to change "Type" to "SQLITE" and "ConnectionString" to "Data Source=yourdatabasename.db," where 'yourdatabasename' is the desired name for the generated database.
"StorageConfiguration": { "Type": "SQLITE", "ConnectionString": "Data Source=yourdatabasename.db" }
9、Right-click on the newly created library "SimpleIdServer.IdServer.SqliteMigrations" and choose "Rebuild."
10、Right-click on the "SimpleIdServer.IdServer.Startup" project and select "Open in Terminal."
11、In the terminal, enter the following command and press Enter:
dotnet ef migrations add Init --project ../SimpleIdServer.IdServer.SqliteMigrations
12、Wait for completion, and if there are no errors along the way, you can now use the SQLite database.
When the user rejects consent, an error with the code 'access_denied' and the description 'access has been revoked by the resource owner' is returned to the client. According to the RFC, https://openid.net/specs/openid-connect-basic-1_0.html, this is the expected behavior.
A UI must be added to the mvc.backchannel.sample
client to handle errors received from the IdServer and display the appropriate messages.
In the Startup.cs
class, you can use the RemoveFailure
event to override the default logic :).
options.Events = new Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents
{
OnRemoteFailure = context =>
{
context.Response.Redirect("/");
context.HandleResponse();
return Task.FromResult(0);
}
};
Thank you for the tutorial on SQLITE. I have created a ticket #658 to support SQLITE in SimpleIdServer.
When the user rejects consent, an error with the code 'access_denied' and the description 'access has been revoked by the resource owner' is returned to the client. According to the RFC, https://openid.net/specs/openid-connect-basic-1_0.html, this is the expected behavior.
A UI must be added to the
mvc.backchannel.sample
client to handle errors received from the IdServer and display the appropriate messages. In theStartup.cs
class, you can use theRemoveFailure
event to override the default logic :).options.Events = new Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents { OnRemoteFailure = context => { context.Response.Redirect("/"); context.HandleResponse(); return Task.FromResult(0); } };
Thank you for the tutorial on SQLITE. I have created a ticket #658 to support SQLITE in SimpleIdServer.
Understood, thank you for your help.
Under normal circumstances, when the session has not expired, that is, when the account session does not display 'Expired', when I click the exit button on the client, I will be redirected to your 5001 page. To complete the user's exit, I need to click 'Revoke session'.
After testing, I found that when the client is configured with the 'Backchannel logout URL' and the session expires,which is when the session displays "Expired", when I refresh the client, it does not automatically redirect to the login page, but can be accessed normally. Moreover, when I click to exit, it does not show a "Revoke session" of 5001, but directly redirects to the login page. Then, I continue to log in, and after successfully logging in, the "Revoke session" button will appear instead, I need to click this button to log in to the client homepage, but there is a problem during this process. If I don't click the 'Revoke session' button after logging in, I will check the sessions in 5002Website and you will find that their 'Clients' are empty.
When I click the 'Revoke session' button and log in to the client, I can see that the sid used by the client here is still the same as before.
If this browser is not closed and a new browser is opened, this phenomenon will persist when accessing the client, and the session ID that originally expired will always be used.I tested this using‘ https://github.com/duendesoftware/samples/tree/main/identityserver/v7/sessionmanagement/backchannelclient ’.I'm not sure if it's related to the logic of this project.
I'm not sure if the client should exit after the session expires, but the current situation is definitely not right.
There is another situation where when the client's Backchannel logout URL is not set, I first log in to the client in the same browser, and then access it after a successful login‘ https://localhost:5001/master ’On 5001, I logged out the newly logged in user. When I clicked on the exit button on the client, it still redirected directly to the login page without displaying a 'Revoke session'. When I tried to log in again, the first thing that appeared was' Revoke session '. However, this time when I clicked on' Revoke session ', it would redirect back to the login page, meaning that I had to log in twice to log in normally, This will not result in using the same SID as mentioned above.However, in the 5002 session, there will still be a record with empty clients.