CODEWITHSUNDEEP
asp.netauthenticationowinopenid-connect
Yavuz
Yavuz

Reputation: 660

Append client ID to logout URL with OWIN middleware for OIDC

I am working on a web application for a customer. For authentication the customer is using his own (custom) OIDC identity provider. I was able to implement sign-in, signup, password reset. Now the task is to implement signout.

When the user signs out he will be redirected to https://customoidc.example.com/ciam/logout?post_logout_redirect_uri=https%3a%2f%2flocalhost%3a4200%2faccount%2fsignout-callback. This is not a valid logout URL for the custom OIDC provider. It needs the client ID as well. I was not able to configure the middleware to send the client ID as a query string parameter. How can I achieve this?

Appending the client ID in the configuration EndSessionEndpoint = ciamUrl + $"ciam/logout?client_id={clientId}" results in the malformed URL https://customoidc.exemple.com/ciam/logout?client_id={clientId}?post_logout_redirect_uri=https%3a%2f%2flocalhost%3a4200%2faccount%2fsignout-callback (double question marks).

This is how the authentication middleware looks like:

public void ConfigureAuth(IAppBuilder app)
{
    var cookieAT = CookieAuthenticationDefaults.AuthenticationType;
    app.SetDefaultSignInAsAuthenticationType(cookieAT);

    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = "Cookie",
        AuthenticationMode = AuthenticationMode.Active
    });

    app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
    {
        ClientId = clientId,
        RedirectUri = redirectUri,
        Configuration = new Microsoft.IdentityModel.Protocols.OpenIdConnectConfiguration
        {
            AuthorizationEndpoint = ciamUrl + "oidc10/auth/oauth/v2/authorize",
            TokenEndpoint = ciamUrl + "oidc10/auth/oauth/v2/token",
            UserInfoEndpoint = ciamUrl + "oidc10/openid/connect/v1/userinfo",
            EndSessionEndpoint = ciamUrl + "ciam/logout"
        },
        ResponseType = "code",
        Scope = "openid ciam-uid email profile"
    });
}

Sign out is triggered through this code:

[RoutePrefix("account")]
public class AccountController : Controller
{
    [Route("signout")]
    public void SignOut()
    {
        string callbackUrl = Url.Action(
            actionName: "SignOutCallback",
            controllerName: "Account",
            routeValues: null,
            protocol: Request.Url.Scheme);
        var authnProperties = new AuthenticationProperties { RedirectUri = callbackUrl };
        var oidcAT = OpenIdConnectAuthenticationDefaults.AuthenticationType;
        var cookieAT = CookieAuthenticationDefaults.AuthenticationType;
        var owinCtx = HttpContext.GetOwinContext();
        owinCtx.Authentication.SignOut(authnProperties, oidcAT, cookieAT);
    }

    ...
}

Upvotes: 1

Views: 1774

Answers (1)

Yavuz
Yavuz

Reputation: 660

Changing the configuration to

EndSessionEndpoint = ciamUrl + $"ciam/logout?client_id={clientId}"

in combination with updating the NuGet package Microsoft.IdentityModel.Protocol.Extensions to version 1.0.4.403061554 (latest stable) did the trick.

This is a similar post Azure Active Directory B2C, 404 error, unexpected question mark in URL which led to the answer.

Upvotes: 1

Related Questions