Login/Register
IdentityServer3, can't update cookie when apps are on different machine?
Asked Answered
Solved single-sign-onidentityserver3
D

1

0

I set up several test sites for SSO using IdentityServer3, pretty much the cookie cutter sample apps with minor virations. They work well except one thing: When trying to single sign OUT and/or update claims via cookie, it only works if all apps are on the same machine.

For example, these two apps can single sign out.

http://localhost:81
http://localhost:82

Claims updated in one app using the following also show up in the other.

        var authenticationManager = HttpContext.Current.GetOwinContext().Authentication;
        authenticationManager.AuthenticationResponseGrant = 
            new AuthenticationResponseGrant(new ClaimsPrincipal(identity), 
                 new AuthenticationProperties { IsPersistent = false });

It also works if I configure the apps like this:

http://mymachine/app1
http://mymachine/app2

But if I mix the two

http://localhost:81
http://mymachine/app2

Then it won't work. Tried SignOut/SignIn too, same result. They still single sign on, but can't sign out together. Change in claims won't show in the other. Of course, same if I deploy the app to different servers. As if the cookies update happened at local machine, rather than on IdSvr.

Any hint what I missed? Thanks.

Doug answered 1/9, 2016 at 17:35 Comment(1)
Can you please let me know how you have achieved single sign out in identity server 3?Anaya
T
2

Single Sign Off is not available out of the box, unfortunately the behavior you were seeing when in the same domain was a bit of a red herring.

Out of the box, when you log out of IdentityServer, your client applications will only find out and log out themselves once they make a new request to IdentityServer (maybe their own application cookie expired and they went to re log in, or maybe they tried to request a token).

To implement Single Sign Off each of your client applications need to have a way of being told by IdentityServer that they need to log out. This can be done using a front-channel HTTP request or by session management.

Check out the IdentityServer Signout Support documentation for more details on how to do this or check out Brock Allen's post on the subject.

Trifoliate answered 2/9, 2016 at 11:21 Comment(4)
Thanks for the quick update. I only have server side .NET web apps. Do you mean even with the Http-based logout mentioned in the documentation and sample apps, client still need to make a token refresh call in order to be notified of the signout? Just refreshing current page won't do? For a moment, I thought the Signout would remove authentication cookies from IdSvr and when RP reload page, they would endup unauthenticated?Doug
Every application still issues its own cookie, it just happens to be using the identity authenticated by IdentityServer. Whilst the client who initiates the login request can log themselves out at the same time, all other applications will stay logged in until their own cookie expires or they are notified in some way by IdentityServer. If you wanted to logout on page refresh you'd have to check with IdentityServer to see if the session is valid every time.Trifoliate
Thanks, it all makes sense now. Because of that local exception, I have been trying not only single sign out, but even thinking I could share app/user context info between websites ... and with some success. Haha.Doug
The mix up was because I didn't set cookie name in CookieAuthenticationOptions. Really appreciated all the help.Doug

© 2022 - 2024 — McMap. All rights reserved.