simpleidserver / SimpleIdServer

OpenID, OAuth 2.0, SCIM2.0, UMA2.0, FAPI, CIBA & OPENBANKING Framework for ASP.NET Core
https://simpleidserver.com/
Apache License 2.0
731 stars 99 forks source link

Front-channel logout URL is not effective #674

Closed qq1176914912 closed 2 months ago

qq1176914912 commented 10 months ago

Is using the ids in this project: https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/SessionManagement/BackChannelClient Front channel logout URL configured in ids: image I found that when I log in to my client and then visit the 5001 (ids) page, the logged in user will be logged out on ids. When I click to log out, I can receive a message in the Logout section of my client (which is the configured Front channel logout URL), but I tried to use your project and also configured the Front channel logout URL: image Using the same steps: first log in to the client, access 5001, log out the user on 5001, click on log out, and no message is received on the client's Logout. Why is this?

simpleidserver commented 10 months ago

Hello, the Duende Server sample project is configured to use Back Channel Session Logout and not Front Channel Session Logout. To enable Front Channel Session Logout, perform the following actions:

In the LogoutController class, add the following action:

[HttpGet("logout/frontchannel")]
public IActionResult FrontChannel(string sid)
{
    if (User.Identity.IsAuthenticated)
    {
        var currentSid = User.FindFirst("sid")?.Value ?? "";
        if (string.Equals(currentSid, sid, StringComparison.Ordinal))
        {
            //await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
            return new SignOutResult(new[] { "Cookies", "oidc" });
        }
    }

    return NoContent();
}

Update the configuration of the client and set the 'Front-Channel logout URL' to https://<URL>/logout/frontchannel.

qq1176914912 commented 10 months ago

Hello, the Duende Server sample project is configured to use Back Channel Session Logout and not Front Channel Session Logout. To enable Front Channel Session Logout, perform the following actions:

In the LogoutController class, add the following action:

[HttpGet("logout/frontchannel")]
public IActionResult FrontChannel(string sid)
{
    if (User.Identity.IsAuthenticated)
    {
        var currentSid = User.FindFirst("sid")?.Value ?? "";
        if (string.Equals(currentSid, sid, StringComparison.Ordinal))
        {
            //await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
            return new SignOutResult(new[] { "Cookies", "oidc" });
        }
    }

    return NoContent();
}

Update the configuration of the client and set the 'Front-Channel logout URL' to https://<URL>/logout/frontchannel.

I also tried other ids in Duende and configured them with Front channel logout URLs, and the results were the same. I think this should be universal and not related to the project. I will try the method you provided. Other issues: 1、The 5001 address client content is not displayed: image 2、Regarding SMS and email page design issues: For example, when I ask test@163.com After successfully sending, when I filled out the verification code and prepared to update, I changed the top email to 123@qq.com He can also update successfully, and the email for the account update is also the one I changed later. Is this a bit unreasonable, and should the content above be prohibited from being modified? image

simpleidserver commented 10 months ago

Front Channel Session

I have reviewed the Duende sample project and, as anticipated, the logout functionality is not working. This is due to the absence of an action that accepts an HTTP GET request to revoke the current session. The sequence of actions I executed is as follows:

  1. Run the BackChannelClient and IdentityServerHost projects.
  2. Open the BackChannelClient and authenticate.
  3. Navigate to the IdentityServerHost website and click on Logout.
  4. Return to the BackChannelClient website and refresh the secure page. Despite the logout attempt, the user remains authenticated.

Without modification, this sample project cannot function correctly because there is no action that accepts an HTTP GET request to revoke the session. For more detailed information, you can refer to the documentation available here: https://openid.net/specs/openid-connect-frontchannel-1_0.html

Client names are not displayed

The issue has been addressed in the master branch. The problem stemmed from the incorrect culture used by Identity Server.

Unexpected email

This issue has also been resolved in the master branch.

qq1176914912 commented 10 months ago

Front Channel Session

I have reviewed the Duende sample project and, as anticipated, the logout functionality is not working. This is due to the absence of an action that accepts an HTTP GET request to revoke the current session. The sequence of actions I executed is as follows:

  1. Run the BackChannelClient and IdentityServerHost projects.
  2. Open the BackChannelClient and authenticate.
  3. Navigate to the IdentityServerHost website and click on Logout.
  4. Return to the BackChannelClient website and refresh the secure page. Despite the logout attempt, the user remains authenticated.

Without modification, this sample project cannot function correctly because there is no action that accepts an HTTP GET request to revoke the session. For more detailed information, you can refer to the documentation available here: https://openid.net/specs/openid-connect-frontchannel-1_0.html

Client names are not displayed

The issue has been addressed in the master branch. The problem stemmed from the incorrect culture used by Identity Server.

Unexpected email

This issue has also been resolved in the master branch.

Thank you for your reply. Front Channel Session I tested successfully according to your previous method. Unexpected email I think it's no longer useful to make arbitrary changes now. You can set the email input box above to a property that prohibits modification. Other issues 1、If the three pieces of information in the picture have already been added, they can only be changed and cannot be deleted. When I try to clear the added content and click update, it will show that the update was successful, but when the page is refreshed, the content still exists. image 2、After adding credentials to the user, the page does not refresh: image

simpleidserver commented 10 months ago

Both issues are fixed in the master branch :)

qq1176914912 commented 10 months ago

Both issues are fixed in the master branch :)

Thank you for your help.

qq1176914912 commented 8 months ago

Front Channel Session

I have reviewed the Duende sample project and, as anticipated, the logout functionality is not working. This is due to the absence of an action that accepts an HTTP GET request to revoke the current session. The sequence of actions I executed is as follows:

  1. Run the BackChannelClient and IdentityServerHost projects.
  2. Open the BackChannelClient and authenticate.
  3. Navigate to the IdentityServerHost website and click on Logout.
  4. Return to the BackChannelClient website and refresh the secure page. Despite the logout attempt, the user remains authenticated.

Without modification, this sample project cannot function correctly because there is no action that accepts an HTTP GET request to revoke the session. For more detailed information, you can refer to the documentation available here: https://openid.net/specs/openid-connect-frontchannel-1_0.html

Client names are not displayed

The issue has been addressed in the master branch. The problem stemmed from the incorrect culture used by Identity Server.

Unexpected email

This issue has also been resolved in the master branch.

Hello. I am wondering if the "Front Channel url" configured in your 5002 project will be actively requested, for example, when I end a user session: image I created a new mvc project and added what you call the interface to the project's "Controllers" : image I was with the postman try to request the interface address "https://localhost:5030/logout/frontchannel" through debugging found that he could enter, and use but ids in the back-end logout project also try, When I log out of my current account on ids, the interface in my project can receive a message when ids and the project are opened and successfully logged in in the same browser, but I found no response using your 5001 attempt. image

simpleidserver commented 8 months ago

Hello,

It is normal for the front-channel endpoint not to be called when the session is revoked on the administration website. This aligns with the RFC specification at https://openid.net/specs/openid-connect-frontchannel-1_0.html#toc, which states that when the session is revoked, an IFRAME with the 'src' attribute equal to the Front Channel Logout URL must be displayed by the Identity Server.

Therefore, this scenario can only occur when the Identity Server Session UI is being displayed: https://github.com/simpleidserver/SimpleIdServer/blob/master/src/IdServer/SimpleIdServer.IdServer.Startup/Views/CheckSession/EndSession.cshtml#L14.

qq1176914912 commented 7 months ago

> Hello,

It is normal for the front-channel endpoint not to be called when the session is revoked on the administration website. This aligns with the RFC specification at https://openid.net/specs/openid-connect-frontchannel-1_0.html#toc, which states that when the session is revoked, an IFRAME with the 'src' attribute equal to the Front Channel Logout URL must be displayed by the Identity Server.

Therefore, this scenario can only occur when the Identity Server Session UI is being displayed: https://github.com/simpleidserver/SimpleIdServer/blob/master/src/IdServer/SimpleIdServer.IdServer.Startup/Views/CheckSession/EndSession.cshtml#L14.

This is what happens when I use 'ids' where 5001 is' ids' and 5030 is my client address.

  1. After you log in to the client, the idsalso changes to the login state
  2. When you click Exit on ids, 5030 also exits. https://github.com/simpleidserver/SimpleIdServer/assets/79817742/b809da2c-a61a-4d35-920f-84c645c1b67d Then I replaced the ids with your 5001: https://github.com/simpleidserver/SimpleIdServer/assets/79817742/54eb6670-c1a7-4260-ad0a-d2f99d2ba81c It can be seen that when I use 'ids' and exit on ids, the 5030 client will also exit, but when I use your 5001 project, this is not the case, what is the problem?
qq1176914912 commented 7 months ago

I tried to repeat this using "ids" and I found that when I annotated the configured "FrontChannelLogoutUri" in "ids", I got the same effect as when I used your "5001" project, i.e. "5001 exits but the client does not exit" image This is my project, you can take a look at it if you have time, and if you don't mind, you can modify it and put it in your example. FrontChannelClient.zip

qq1176914912 commented 7 months ago

I tried to repeat this using "ids" and I found that when I annotated the configured "FrontChannelLogoutUri" in "ids", I got the same effect as when I used your "5001" project, i.e. "5001 exits but the client does not exit" image This is my project, you can take a look at it if you have time, and if you don't mind, you can modify it and put it in your example. FrontChannelClient.zip

My project When using your project instead of 'ids', I found that even if I uncheck "Front-channel logout session required" and set "Front-channel logout URL" to blank on 5002, Can still exit successfully, so now I'm confused. After repeated testing with my project, for ids, the difference between writing "FrontChannelLogoutUri" and not writing "FrontChannelLogoutUri" is that if you write "FrontchannelLogouturi" you can achieve the retreat on "ids", the client will also retreat, if you do not write, then "ids" even if the retreat, The client will not back out, that is, this "FrontChannelLogoutUri" is used by ids to notify the client to quit.

qq1176914912 commented 7 months ago

"https://openid.net/specs/openid-connect-frontchannel-1_0.html#toc" in the "3. The OpenID Provider Logout Functionality 'seems to say' OP(5001 or ids) to logout and then notify the client to logout via the 'Front-channel logout URL'. But that's optional and may be the reason for the difference in the video above because your project didn't implement it.

simpleidserver commented 7 months ago

This problem is specific and has been fixed in the master branch. Hidden iframes are not displayed when the user clicks on the disconnect button of the identity server

qq1176914912 commented 6 months ago

Sorry about the front end logout again, I have deployed the 5001 to ubuntu: I deployed the 5001 and 5002 projects and configured the domain names on ubuntu, which uses the sqlite database. 1.This is the exit method of the front-end logout project: image When I start the project, click the exit button, I get a "id_token", by analyzing the idtoken got sid, and then I use the browser request "https://xxxx:5001/master/end_session?" Id_token_hint ={id_token} ", the return result is: "You are logged out." After logging into 5002 and going through User -> Sessions, I found that the status of the session id was still active. 2、My front-end logout project is local, and then the 5001 project is deployed on remote ubuntu, I want to achieve the effect we talked about earlier(5001 returned, front-end logout items also returned), this is the configuration configured on the 5002: image This address is accessible on ubuntu, except that the curl command ignores the certificate error to access it, but when I actually do it, I find that my local project does not receive the exit instruction, that is, the local front-end logout interface does not receive the request.The front-end logout project will not have this problem if it is on the same machine as the 5001 project (both locally). The same backend logout project (project in local 5001 project in remote ubuntu), the configuration is similar to the front-end logout, but the port is different, but the 5002 project can successfully kick out my local project by ->" User "->" session "->" End session ", so I want to know what is the situation, Is there any difference in the logic of the request?

simpleidserver commented 6 months ago

Hello,

  1. The code doesn't seem to be correct. The property is set to "https://xxx:25001", but the user-agent is not redirected to the URL. Instead of doing it manually, you can use the following code, configure the OpenIdConnect NuGet package, and set its authentication scheme to oidc:
SignOut(new AuthenticationProperties
            {
                RedirectUri = ""
            }, "oidc");
  1. When the front-channel URL is used, an iframe is displayed by the web browser, and no HTTP request is executed by the backend. Please check if the iframe is displayed and if the URL is accessible.
qq1176914912 commented 5 months ago

I have been understanding wrong, the correct should be the client by clicking logout jump to 5001 address login, and then 5001 address through the configured front-end logout address, through the iframe tag to notify the client (this address needs to clear the cookie of the client) image

qq1176914912 commented 5 months ago

I have been understanding wrong, the correct should be the client by clicking logout jump to 5001 address login, and then 5001 address through the configured front-end logout address, through the iframe tag to notify the client (this address needs to clear the cookie of the client) image

Sorry to interrupt. If I follow my understanding, when 5001 and the front-end logout item are together (locally), when clicking Exit through the project to jump to the 5001 end session page, F12 can see that the iframe tag requests the front-end logout address I configured and responds to 200, but when I deploy 5001 to the remote, it cannot request: image Where zxf-pc-01:5030 is the address of my front-end logged out project, and the remote server of 5001 can access this domain name + port: image