Reputation: 682
Identity Server 4 /connect/endsession failing "The resource you are looking for has been removed...."
- Using Identity Server 4
- Asp.Net Core MVC client successfully login
When logging out from client getting error on url https://identity.acme.com/connect/endsession.... (complete url listed below)
"The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."
AccountController.Logout calls
await HttpContext.SignOutAsync("Cookies");
await HttpContext.SignOutAsync("oidc");
The Url in the browser is:
https://identity.acme.com/connect/endsession?post_logout_redirect_uri=https%3A%2F%2Fadmin.acme.com%2Fsignout-callback-oidc&id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6IkQ1NjY2RURGQjNFM0M3MDdCNkJCRUFCNEU3NTU3Q0NDNTNBOTc2Q0IiLCJ0eXAiOiJKV1QiLCJ4NXQiOiIxV1p1MzdQanh3ZTJ1LXEwNTFWOHpGT3Bkc3MifQ.eyJuYmYiOjE1MjM4NTI5NDMsImV4cCI6MTUyMzg1NjU0MywiaXNzIjoiaHR0cHM6Ly9pZGVudGl0eS50eXBzeS5jb20iLCJhdWQiOiJ0eXBzeS1pbmRpdmlkdWFsIiwibm9uY2UiOiI2MzY1OTQ0OTczMzc2OTAzMjQuTkRFME5EVXlORFF0WldOaU9TMDBOMkkzTFRrM01UY3RZVFl3WldRNVl6UmpObUk1WkRkaE5UUmtNVGN0WWpjM1lTMDBPVE16TFdFeU5tSXRZekpqWW1SaFptWTBPV1EzIiwiaWF0IjoxNTIzODUyOTQzLCJhdF9oYXNoIjoidkZacmdQUUI2UHd5VzBDeUhCV3QzdyIsInNpZCI6IjFlYjQxYzgwYjhmNGUxMTQ4MjViNDhiNmY4OWE1ZWY3Iiwic3ViIjoiYTAxNjI0MzAtZWIyMi00MTU0LWJmNTktMGJhNDliZmQ0NzNkIiwiYXV0aF90aW1lIjoxNTIzODUyOTQxLCJpZHAiOiJsb2NhbCIsIkFzcE5ldC5JZGVudGl0eS5TZWN1cml0eVN0YW1wIjoiMGM1YzQyNTQtOTM4NS00MWFiLWI5MTktNDFhZjgyOTFlNjljIiwiT3JnYW5pc2F0aW9uIjoiRmFuZXRpYyIsImdpdmVuX25hbWUiOiJKdXN0aW4iLCJmYW1pbHlfbmFtZSI6IkRyZXJ1cCIsInJvbGUiOlsiU3R1ZGVudCIsIkFkbWluaXN0cmF0b3IiLCJNYW5hZ2VyIiwiQWRtaW4iLCJUeXBzeS1PcmciXSwicHJlZmVycmVkX3VzZXJuYW1lIjoianVzdGluZEB0eXBzeS5jb20iLCJuYW1lIjoianVzdGluZEB0eXBzeS5jb20iLCJlbWFpbCI6Imp1c3RpbmRAdHlwc3kuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImFtciI6WyJwd2QiXX0.ifQJVB25rAB3HP30F9vtRvzLZ9dHjORHX7cKoG6SLLR3WqGzpoCkjnq10ijffjj2QbsvjxRPvsYPgbVxISwP04V79RFTHqZI7Z39vsBSZSGeJnkhQLXCvMs9i6F4-aiHR9dF3KTMCMOXFfiG0stG69vIMPckUHuTh5yT5a_nFSL4lebLb5AOpPHto8TtTy6SvFOGp7uyXw7d_KVQ3U9lo4RTYvPVePgq9bZf1DcaOL_gutj2EmHVrNc9kDIQRxK4rTbjx2kFrxD2LauEmh-OXTdzjOqtXLQF2jRwV4sGvPImiBOt75vLMlJJUP8B7sEm61bR50hfOqpycm46PO_awryxWGvqItjrYe8P0OQtuaQghCkesjToW4_OPHHQJIX2jXLN3i0SvfmPEB41pqmP73cKvCjMAMeCllfZ8pfRwzsbzvWKYZ2jZkF4CT6zQq4pEGblEl12yC-I59gqRYozhxz1hiPep4KkgHZ40VRjCR5LNu8Mmx2qp8B7xwyfzes1r7VnCeMJJd7LNqRRdE6mszj7vaZdvHb8n7UDud1hzktYLoVUENodCo4KrGuD7QwT28q8IK2sbtcK_98aLap2WeXcuDMsP5zbrGS2Vb3N4YezdqEU7YJjvk9tvdMdafTYe4LKNaq-cDHVnJh_pmXJsL6odwz9eXkddJBPzhHXf6M&state=CfDJ8Pr81inWVH5OlYUuWwOTfYygcAOv4qo4Jl03Su6yhd8WHQz8m-LK-vBDM8CjSBrqjNLz4Qdqx8759Wpts3AsgHnf997vKLyWqQSOgTQPOpy5qyouRMRmHEsk-h5BnQR4_SHIkzo5_kgJQ0xROmsqUD4Aq3o0zYd-rI-GYHiii7P_&x-client-SKU=ID_NET&x-client-ver=2.1.4.0
To the best of my knowledge this was working for many months. I can't see any change in the code that would have impacted this so suspect it is environmental.
I have turned on logging and the /connect/endsession doesn't even appear to be triggered. All other events are logged.
In development, it works and the logging shows the endpoint being called:
Endpoint enabled: "Endsession", successfully created handler: "IdentityServer4.Endpoints.EndSessionEndpoint"
Request path "/connect/endsession" matched to endpoint type "Endsession"
The client has the correct PostLogoutRedirectUris configured in IdentityServer4 Config.cs
PostLogoutRedirectUris =
{
"https://admin.acme.com/signout-callback-oidc"
},
Interestingly, if I manually edit the Url to remove the
post_logout_redirect_uri=https%3A%2F%2Fadmin.acme.com%2Fsignout-callback-oidc&
and submit then I'm successfully redirected to Identity Server to the LoggedOut page.
If I remove the
.AddOpenIdConnect("oidc", options =>
{
options.SignedOutRedirectUri = "https://admin.acme.com";
}
from the startup.cs then I can successfully logout from the client (however there is no longer a redirect post logout)
Can anyone explain what is happening?
UPDATE - Is it a length of URL issue?
- I've done some more investigation
- when i remove the post_logout_redirect_uri=https%3a%2f%2fadmin.acme.com%2fsignout-callback-oidc& it doesn't always work - this is a clarification on what I said before.
- If I remove everything from state=xxxx onwards then the url is accepted, Identity Server runs and it successfully redirects back to https://admin.acme.com/signout-callback-oidc however it is missing the state=xxxxx
I can then append the state parameter to the redirected Url and the process completes https://admin.acme.com/signout-callback-oidc?state=CfDJ8Pr81inWVH5OlYUuWwOTfYygcAOv4qo4Jl03Su6yhd8WHQz8m-LK-vBDM8CjSBrqjNLz4Qdqx8759Wpts3AsgHnf997vKLyWqQSOgTQPOpy5qyouRMRmHEsk-h5BnQR4_SHIkzo5_kgJQ0xROmsqUD4Aq3o0zYd-rI-GYHiii7P_&x-client-SKU=ID_NET&x-client-ver=2.1.4.0
The Url (un-altered) is 2135 characters
- I also did a test by shortening some of the characters from the overall url to 2095 characters (taking from state=) and Identity Server is triggered (but the state code is invalid as I've altered it)
- So whenever the url is over 2095 characters it is failing.
This makes me question if this is an issue with the server not accepting a long url?
Upvotes: 5
Views: 6235
Answers (2)
Reputation: 105
I'm doing tests with identity server 4 and asp.net core and face the same issue with the URL length. I found an alternative that could help. There is an option in AddOpenIdConnect() that you can set the method used to redirect the user agent to the identity provider. I set it to "FormPost" and now the request use POST instead of GET to call the endsession endpoint.
.AddOpenIdConnect("oidc", options =>
{
[...]
options.AuthenticationMethod = OpenIdConnectRedirectBehavior.FormPost;
}
Upvotes: 7
Reputation: 682
Based on the debugging outlined in the question I determined this appeared to be an issue with Url length.
- I followed the guidance in this article https://leastprivilege.com/2016/12/14/optimizing-identity-tokens-for-size/ and this article https://leastprivilege.com/2017/11/15/missing-claims-in-the-asp-net-core-2-openid-connect-handler/ and this article https://leastprivilege.com/2017/11/15/missing-claims-in-the-asp-net-core-2-openid-connect-handler/ to reduce the number of claims being returned and hence the size of the token.
- This resulted in the problem going away.
- I still don't know why this suddenly stopped working (noting that the size or number of claims hadn't changed)
A positive outcome is that I had to dive much deeper into understanding how Identity Server works and I've managed to optimise the overall sign-on process and speed significantly as well as improve my overall implementation.
In summary - these are some of the changes I made:
Don't return
IdentityServerConstants.StandardScopes.Profile
Set
AlwaysIncludeUserClaimsInIdToken = false
and use
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
to provide the claims you need (as well as not returning claims my client was not using)
Upvotes: 6
Related Questions
- identityserver4 Correlation failed
- IdentityServer4 - Auth error TypeError: Failed to fetch
- .Net Core 2.1 OpenIdConnectProtocolException
- Cannot sign out the OpenIdConnect authentication of identityserver4 on ASP.NET Core 2 application
- Identity Server 4 refused to frame SignOutIframeUrl
- IDX20803: Unable to obtain configuration from: 'https://localhost/IdentityServer/Core/.well-known/openid-configuration'
- Upgraded IdentityServer4 - Checking for expected scope openid failed
- Identity Server 404 after login (stuck on signin-oidc)
- IdentityServer4 error when using WindowsAuthentication
- How to solve open id configuration error with identity server 4?