Login/Register
IdentityServer4 logout
Asked Answered
Solved .netidentityserver4asp.net-authentication
G

2

8

I am having an issue where I cannot seem to get my Identity Server logout to show the confirmation first. I downloaded the source code for IdentityServer4 from github and found the parameter in the Models folder: LogoutRequest.cs, ShowSignOutPrompt. There are no references to it in IdentityServer except to check it during the logout.

In debugging, I see that it is false. I don't know where this is supposed to get set, I've checked the options for the client config on both the server and client side, as well as the options on server startup.

I can find no instances of "ShowSignoutPrompt" in the client code (I'm using the IdentityServer3 Owin Hybrid client sample currently).

Here's the code flow: We have a button in our default layout which triggers the client's AccountController.Signout():

public void Signout()
{
    Request.GetOwinContext().Authentication.SignOut();
}

From there, I'm not exactly sure how, but the next point it hits is IdentityServer's AccountController.Logout(string logoutId). That method builds the logout prompt view (using checks in AccountServices.BuildLogoutViewModelAsync) and returns it to the user's browser. The only way it works properly to not set the ShowSignoutPrompt to false is if PostLogoutRedirectUri is set to "/signout-callback-oidc". I don't know why.

When the user clicks "yes" on the view generated above, it goes to IdSrvr's AccountController.Logout(LogoutInputModel model). I am trying to change the last line of that method from:

return View("LoggedOut", vm);

to:

return Redirect(vm.PostLogoutRedirectUri);

There's another problem here in that the PostRedirectUri is null here, even though I set it on the client config (well, for that matter, Identity Server's client config also has it).

Griffis answered 5/3, 2018 at 15:24 Comment(4)
If I set the PostLogoutRedirectUri to "/signout-callback-oidc", then it successfully shows the logout prompt, but then it throws an error in the IdentityServer AccountController because AccountService.BuildLoggedOutViewModelAsync is returning a null view model.Griffis
I also see the AccountOptions.cs in the IdentityServer host controllers folder. My current values for that are: ShowLogoutPrompt = true; AutomaticRedirectAfterSignOut = false; I'll experiment with the automatic redirect shortly, I think I was getting flaky behavior out of that too earlier.Griffis
It should be noted for others who see this later that the Logout(string logoutId) method of AccountController actually gets called quite a few times (3) if you are using an external identity provider: 1. The first time it gets triggered from client's Signout() method. 2. After the user clicks "Yes" on the confirm logout view. 3. After the external identity provider returns control after signing the user out on that end (triggered from the Logout(LoggedOutViewModel model) method. This can lead to a LOT of confusion. I'm still not there yet.Griffis
I had asked two separate questions while trying to get logout to prompt and return to the client's logout page, this one and this: #49117783 I have marked the below as the answer because it clarifies quite a bit, if that is not enough information, I answered the other question as well.Griffis
E
6

There is no client attribute to control this.

When logging out the client application calls the IdentityServer4 End Session Endpoint.

The signout prompt can be bypassed when a client sends the original id_token. This is passed in as the id_token_hint parameter.

In addition, it indicates if the request for the sign-out has been authenticated, and therefore it's safe to no prompt the user for sign-out. per ref

ShowSignoutPrompt Indicates if the user should be prompted for signout based upon the parameters passed to the end session endpoint. Source PDF

NOTE: If you are using the JavaScript OIDC-Client-JS library, the 'signoutRedirect' method will internally check, see _signoutStart method line 354, for the id_token_hint argument or the users id_token. So if you are using this library to log a user off and want to force the logout screen you will have to clear the user.id_token.

Sample section from _signoutStart()

_signoutStart(args = {}, navigator, navigatorParams = {}) {
    ...
    var id_token = args.id_token_hint || user && user.id_token;
    if (id_token) {
        Log.debug("Setting id_token into signout request");
        args.id_token_hint = id_token;
    }
    ...
}

UPDATE:

If you are using IdentityServer4 version 2.x you can use the new class ClientProperty to store key-value pairs. In here you could create a key of "LogoffPromptRequired" and a value of "true" to be used in the client or IdentityServer implementation to determine if the Logg off screen is required.

Enrika answered 5/3, 2018 at 16:13 Comment(5)
So if I want to force the logout prompt, I should modify the client to not send the id_token I guess.Griffis
what type of client do you have? C# API, Web client that has JavaScript?Enrika
The original source for the client is from the IdentityServer samples, MVC Owin Hybrid. Had to use that in order to get a .NET standard project working with the .NET Core IdentityServer4. The client is from IdentityServer3 but still works with IdentityServer4.Griffis
Can you share the logout code from that client in your question details?Enrika
@Enrika Is there an option to also bypass the logout screen from identity server as well when using the oidc-client-js library? I'm coding a logout functionality to kick out users that are idle. I used createSignoutRequest(id_token_hint: user.id_token) and performed a GET request to this endpoint but it's not working.Hindorff
P
0

I'd recommend implementing the prompt in the client app and then redirecting to endsession when that is complete.

Parisparish answered 5/3, 2018 at 16:32 Comment(2)
Are you saying let the user determine if the logoff prompt should be shown?Enrika
I figured out how to get IdentityServer to take the PostLogoutRedirectUri, will provide an answer with relevant details and the traps/rabbit holes that result in getting a null on the server side. Thanks for the help everyone.Griffis

© 2022 - 2024 — McMap. All rights reserved.