Rodney Pannell
Reputation: 360
IdentityServer4 - LogoutRequest.PostLogoutRedirectUri is null
I have an identity server project that I am working on that for some reason is setting the log out url as null. Using the "BuildLogoutViewModelAsync(logoutId)" function found in the QuickStart, this line is returning null, but in the log the "post_logout_redirect_uri" is set and is set correctly.
var context = await this.interactionService.GetLogoutContextAsync(logoutId);
Here is the necessary information from the log file.
2018-06-11T16:11:27.1301566-04:00 0HLEFQTLST4A2:00000006 [INF] Profile service returned to the following claim types: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress name given_name email UserId PayeeId ErpPayeeId MyReports PipelineCRM Start Start IdentityManager SpecialOrder MarketingEmail PunchOut CustomerEntityManager AttributeManager SpecialOrdersLite PayeeManagement VirtualVideoTraining MySurveys NAMToolkit Dashboard FrameworkManager FrameworkManager ContractManagement SalesDashboard HRSInstallationLeadForm PunchoutManagement CompetitiveIntelligence SpecialOrderRequest LuceneIndexSearch CompetitiveIntelligence PKB CompetitiveIntelligence CompetitiveIntelligence CompetitiveIntelligence PKB SpecialOrderRequestPOC AppsManagement Genie Testing1234 October Deviation ReportDeliveryManagement ReportDeliveryManagement RgTest TestingUpdates1 TrainingDemo ABCDE CustomerSegmentationManager CustomerSegmentationManager TestingTemplate2 AppsMgmt AppsMgmt AppsMgmt InventoryControlWorkflow ProPurchaseCardMaint" (a9217bec)
2018-06-11T16:11:27.1354674-04:00 0HLEFQTLST4A2:00000006 [INF] Request finished in 1263.2834ms 200 application/json; charset=UTF-8 (791a596a)
2018-06-11T16:11:29.9711755-04:00 0HLEFQTLST4A1:00000007 [INF] Request starting HTTP/1.1 GET http://localhost:44329/connect/endsession?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A21402%2Fsignout-callback-oidc&state=CfDJ8A54aiN-IdtIpcL6PAgpJbMSpzMkkd27BJqnGFbTgRwiqdf1XkpfMApJnfC0_3BOsVALgr2skPwBmy74ToICvY6ZjWsd4BJLHkVqJD9Cp45zXBKH37iX2o2y6A8wD30yghQDcA4B2iPHg6eAjliWN4h8jv3PdlE_gjIKiNY-Eckk&x-client-SKU=ID_NET&x-client-ver=2.1.4.0 (ca22a1cb)
2018-06-11T16:11:29.9738375-04:00 0HLEFQTLST4A1:00000007 [INF] AuthenticationScheme: "idsrv" was successfully authenticated. (1805f3b3)
2018-06-11T16:11:29.9759119-04:00 0HLEFQTLST4A1:00000007 [INF] AuthenticationScheme: "idsrv" was successfully authenticated. (1805f3b3)
2018-06-11T16:11:29.9796082-04:00 0HLEFQTLST4A1:00000007 [INF] Invoking IdentityServer endpoint: "IdentityServer4.Endpoints.EndSessionEndpoint" for "/connect/endsession" (f7642de5)
2018-06-11T16:11:29.9963239-04:00 0HLEFQTLST4A1:00000007 [INF] End session request validation success
"{
\"SubjectId\": \"MOORESTOWN\\rpannell1\",
\"Raw\": {
\"post_logout_redirect_uri\": \"http://localhost:21402/signout-callback-oidc\",
\"state\": \"CfDJ8A54aiN-IdtIpcL6PAgpJbMSpzMkkd27BJqnGFbTgRwiqdf1XkpfMApJnfC0_3BOsVALgr2skPwBmy74ToICvY6ZjWsd4BJLHkVqJD9Cp45zXBKH37iX2o2y6A8wD30yghQDcA4B2iPHg6eAjliWN4h8jv3PdlE_gjIKiNY-Eckk\",
\"x-client-SKU\": \"ID_NET\",
\"x-client-ver\": \"2.1.4.0\"
}
}" (8a893fca)
2018-06-11T16:11:30.0114218-04:00 0HLEFQTLST4A1:00000007 [INF] Request finished in 40.0686ms 302 (791a596a)
2018-06-11T16:11:30.0233725-04:00 0HLEFQTLST4A2:00000007 [INF] Request starting HTTP/1.1 GET http://localhost:44329/account/logout?logoutId=CfDJ8Lr1ecTh1x5IjvA0NxR18eixqgY1PROntfeC5wQJbnQmhM8qTPkm3Dt4ckYZ5sm1NFGrcOh2t67DG6X5buzj8klwDUz8rXzYBIFoTpxIKk4Zi-BhQIimvGKeukPMtgodz16q47X8PTqvaq0TIPLNPvl-QEh54ZZBafc9lk0amvlttW4CPfGGwoCpUJV_vwt9n6B7uu4_WEKaX65qF8O0vu7f-i-IZ_up2T19USJoZMSmy5uRo7-ZpReWgMfB6Ym2jOrWYA2KQBlKgczfmAWyj7eGbz0jRXecCbgcqwIVfVHsgWGL4-DdvM44YG7mp7-AvJAQ1ZOeLT2ootHcwt_ulYNb_zsy-OCT-XdblPBGAXuLqzuTuvEpbkUnF0cE2Amltwmq_ZWc89GK9QG_Ectubzl23k3S0oJ0AjHFSXCezPm61nRjiKhLtY6O1soIgLzSv_NyjdwQIbmJByiBv1NsH7I (ca22a1cb)
2018-06-11T16:11:30.0259399-04:00 0HLEFQTLST4A2:00000007 [INF] AuthenticationScheme: "idsrv" was successfully authenticated. (1805f3b3)
2018-06-11T16:11:30.0280733-04:00 0HLEFQTLST4A2:00000007 [INF] AuthenticationScheme: "idsrv" was successfully authenticated. (1805f3b3)
2018-06-11T16:11:30.0356306-04:00 0HLEFQTLST4A2:00000007 [INF] Executing action method "IBI.Login.Service.Controllers.AccountController.Logout (IBI.Login.Service)" with arguments (["CfDJ8Lr1ecTh1x5IjvA0NxR18eixqgY1PROntfeC5wQJbnQmhM8qTPkm3Dt4ckYZ5sm1NFGrcOh2t67DG6X5buzj8klwDUz8rXzYBIFoTpxIKk4Zi-BhQIimvGKeukPMtgodz16q47X8PTqvaq0TIPLNPvl-QEh54ZZBafc9lk0amvlttW4CPfGGwoCpUJV_vwt9n6B7uu4_WEKaX65qF8O0vu7f-i-IZ_up2T19USJoZMSmy5uRo7-ZpReWgMfB6Ym2jOrWYA2KQBlKgczfmAWyj7eGbz0jRXecCbgcqwIVfVHsgWGL4-DdvM44YG7mp7-AvJAQ1ZOeLT2ootHcwt_ulYNb_zsy-OCT-XdblPBGAXuLqzuTuvEpbkUnF0cE2Amltwmq_ZWc89GK9QG_Ectubzl23k3S0oJ0AjHFSXCezPm61nRjiKhLtY6O1soIgLzSv_NyjdwQIbmJByiBv1NsH7I"]) - ModelState is Valid (ba7f4ac2)
I am using the MVCHybrid from the samples solution with this setup in the client.
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = "oidc";
})
.AddCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
options.Cookie.Name = "mvchybrid";
})
.AddOpenIdConnect("oidc", options =>
{
// options.SignInScheme = "mvchybrid";
options.Authority = "https://localhost:44329/";
options.RequireHttpsMetadata = false;
options.ClientSecret = "superSecretPassword";
options.ClientId = "webFrameworkOpenIdClient";
options.Resource = "openid profile api1 offline_access";
options.ResponseType = "code id_token token";
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
// options.Scope.Add("email");
options.Scope.Add("api1");
options.Scope.Add("offline_access");
options.GetClaimsFromUserInfoEndpoint = true;
options.SignedOutRedirectUri = "http://localhost:21402/";
// options.SaveTokens = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role,
};
});
The MvcHybrid Logout action result looks like this
public IActionResult Logout()
{
return new SignOutResult(new[] { "Cookies", "oidc" });
}
The url is in the database and is setup as both http://localhost:21402/ and http://localhost:21402/signout-callback-oidc to be sure that both are available.
Can anybody give me some thoughts how to get this setup correctly? From everything I am seeing the data is setup correctly and the data is going over the wire correctly.
Thoughts?
Upvotes: 2
Views: 3331
Answers (1)
Rodney Pannell
Reputation: 360
Found it, the configuration was wrong. The SaveTokens = true which will send the id_token via the query string.
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "https://localhost:44329/";
options.RequireHttpsMetadata = false;
options.ClientSecret = "superSecretPassword";
options.ClientId = "webFrameworkOpenIdClient";
options.Resource = "openid profile api1 offline_access";
options.ResponseType = "code id_token token";
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("api1");
options.Scope.Add("offline_access");
options.GetClaimsFromUserInfoEndpoint = true;
options.SignedOutRedirectUri = "http://localhost:21402/";
/* HERE */
options.SaveTokens = true;
/* HERE */
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role,
};
});
I had a previous issue where the query string was too large because the number of claims my user will have. Going over to the web.config in the identity server solution I updated to the max query string setting to an extremely large number. The default is 2048 and my token was over 3000 characters. This allow the id_token_hint parameter to be sent which is necessary for a post_logout_redirect_uri to be picked up. See the new log entry below.
<security>
<requestFiltering>
<requestLimits maxQueryString="32768" />
</requestFiltering>
</security>
</system.webServer>
2018-06-12T11:54:48.6190847-04:00 0HLEGFIG5NHS6:0000000A [INF] End session request validation success
"{
\"ClientId\": \"webFrameworkOpenIdClient\",
\"ClientName\": \"Client For IBI Web Applicaiton Framework\",
\"SubjectId\": \"MOORESTOWN\\rpannell1\",
\"PostLogOutUri\": \"http://localhost:21402/signout-callback-oidc\",
\"State\": \"CfDJ8A54aiN-IdtIpcL6PAgpJbOn0XeMop9RKInYCbgTcAxYu2fkXOF7qQrgD8XAilOa4LsQSm7kC40OxybIKAnhMWS3EY_4bHadBJ8yMwUFhNbAB5p6AAggJi_Jvm7ewcoRG_gi0xshxzZ9df4aAemnJpDl0KePcJIq1E-SCH9LTVkh\",
\"Raw\": {
\"post_logout_redirect_uri\": \"http://localhost:21402/signout-callback-oidc\",
\"id_token_hint\": \"eyJhbGciOiJSUzI1NiIsImtpZCI6IjA4MDI3ZjIyMDM1NmQzNTIyNDkzNWU4ZDIxY2RhMGVkIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1Mjg4MTg4ODMsImV4cCI6MTUyODgxOTE4MywiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMjkiLCJhdWQiOiJ3ZWJGcmFtZXdvcmtPcGVuSWRDbGllbnQiLCJub25jZSI6IjYzNjY0NDE1NjY1OTMxNTQ2MS5NR1ZqWkdZMk56QXRPV016WlMwME5UYzRMV0kzWldJdE5qRXhZVGRrTmpNNFltSXpPRGhqWmpFeFpXSXROemRtWWkwMFpXWTJMVGd5TW1VdFl6VTVZVFUyTWpjMVpHUTQiLCJpYXQiOjE1Mjg4MTg4ODIsImF0X2hhc2giOiJNX0FCWHg1VlhxOEZOLXJMWTd0UHdBIiwic2lkIjoiNzc1ZmViMTY3MjMxZjU5MjNkNDEyNzFhNDM1YWU5ZjIiLCJzdWIiOiJNT09SRVNUT1dOXFxycGFubmVsbDEiLCJhdXRoX3RpbWUiOjE1Mjg4MTg4NzgsImlkcCI6Im9pZGMiLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoiTU9PUkVTVE9XTlxccnBhbm5lbGwxIiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvZ2l2ZW5uYW1lIjoiUm9kbmV5IFBhbm5lbGwiLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiOiJSb2RuZXkuUGFubmVsbEBpbnRlcmxpbmVicmFuZHMuY29tIiwibmFtZSI6Ik1PT1JFU1RPV05cXHJwYW5uZWxsMSIsImdpdmVuX25hbWUiOiJSb2RuZXkgUGFubmVsbCIsImVtYWlsIjoiUm9kbmV5LlBhbm5lbGxAaW50ZXJsaW5lYnJhbmRzLmNvbSIsIlVzZXJJZCI6OTY1OCwiUGF5ZWVJZCI6OTE5MiwiRXJwUGF5ZWVJZCI6MTEyMDcsIk15UmVwb3J0cyI6IkJhc2ljIiwiUGlwZWxpbmVDUk0iOiJCYXNpYyIsIlN0YXJ0IjpbIkJhc2ljIiwiTWFuYWdlciJdLCJJZGVudGl0eU1hbmFnZXIiOiJJbXBlcnNvbmF0b3IiLCJTcGVjaWFsT3JkZXIiOiJTT01hbmFnZXIiLCJNYXJrZXRpbmdFbWFpbCI6IkJhc2ljIiwiUHVuY2hPdXQiOiJBZG1pbiIsIkN1c3RvbWVyRW50aXR5TWFuYWdlciI6IkluaXRpYWxDdXN0b21lckVudGl0eU1hbmFnZXJSb2xlIiwiQXR0cmlidXRlTWFuYWdlciI6IkJhc2ljIiwiU3BlY2lhbE9yZGVyc0xpdGUiOiJTcGVjaWFsT3JkZXJzTGl0ZVJvbGUiLCJQYXllZU1hbmFnZW1lbnQiOiJQYXllZU1hbmFnZW1lbnQiLCJWaXJ0dWFsVmlkZW9UcmFpbmluZyI6IkFkbWluIiwiTXlTdXJ2ZXlzIjoiU3VydmV5TWFuYWdlciIsIk5BTVRvb2xraXQiOiJOQU1Ub29sa2l0IiwiRGFzaGJvYXJkIjoiRGFzaGJvYXJkIiwiRnJhbWV3b3JrTWFuYWdlciI6WyJEZXZlbG9wZXIiLCJBZG1pbmlzdHJhdG9yIl0sIkNvbnRyYWN0TWFuYWdlbWVudCI6IkxlZ2FsIEFkbWluIiwiU2FsZXNEYXNoYm9hcmQiOiJTYWxlc0Rhc2hib2FyZCIsIkhSU0luc3RhbGxhdGlvbkxlYWRGb3JtIjoiU2FsZXMgUmVwIiwiUHVuY2hvdXRNYW5hZ2VtZW50IjoiUHVuY2hvdXRNYW5hZ2VtZW50IiwiQ29tcGV0aXRpdmVJbnRlbGxpZ2VuY2UiOlsiQ0lBIiwiU2FsZXMgUmVwIiwiUHJvZHVjdCBEYXRhIE93bmVyIiwiUERTIiwiUERTKyJdLCJTcGVjaWFsT3JkZXJSZXF1ZXN0IjoiU2FsZXMgU3VwcG9ydCIsIkx1Y2VuZUluZGV4U2VhcmNoIjoiTHVjZW5lSW5kZXhTZWFyY2giLCJQS0IiOlsiUEtCIiwiQWRtaW4iXSwiU3BlY2lhbE9yZGVyUmVxdWVzdFBPQyI6IkFkbWluIiwiQXBwc01hbmFnZW1lbnQiOiJBZG1pbiIsIkdlbmllIjoiR2VuaWUiLCJUZXN0aW5nMTIzNCI6IlRlc3RpbmcxMjM0IiwiT2N0b2JlciI6Ik9jdG9iZXIiLCJEZXZpYXRpb24iOiJBZG1pbiIsIlJlcG9ydERlbGl2ZXJ5TWFuYWdlbWVudCI6WyJSZXBvcnREZWxpdmVyeU1hbmFnZW1lbnRSb2xlIiwiVVR3YXJlaG91c2UiXSwiUmdUZXN0IjoiQWRtaW4iLCJUZXN0aW5nVXBkYXRlczEiOiJUZXN0aW5nVXBkYXRlczEiLCJUcmFpbmluZ0RlbW8iOiJUcmFpbmluZ0RlbW8iLCJBQkNERSI6IkFkbWluIiwiQ3VzdG9tZXJTZWdtZW50YXRpb25NYW5hZ2VyIjpbIkFkbWluIiwiQmFzaWMiXSwiVGVzdGluZ1RlbXBsYXRlMiI6IkFkbWluIiwiQXBwc01nbXQiOlsiQWRtaW4iLCJHTyIsIkRldmVsb3BlciJdLCJJbnZlbnRvcnlDb250cm9sV29ya2Zsb3ciOiJBZG1pbiIsIlByb1B1cmNoYXNlQ2FyZE1haW50IjoiYWRtaW4iLCJhbXIiOlsiZXh0ZXJuYWwiXX0.TiTurTiN5g__lnOuFBWNi5puHyEv9yfHxugi5USuMV77FErl05aKv9qEKi72vwyG1ELWWtwR0SC73BEEvLXyHx7A-3RO-bvCLbvQhaQs4iTJQ642Iir0cTkqfZVje_DavQbqWnREWHsmwikUsyu-YLf82CqTpSm1OV0hbauPW02wNZGxJU1jRYhPr9dYraNUo8KL77M3mWx6CnZ5XFf6igHnUTSbH5xv0phnPbsDXJ5bsvuzo4DY-IQLyM3K17gAfKy8DPFoiVzZxKM1_fGXbEr9Hf5qw7GCd7I5sGxwfBz5RKYcqa9ahcTt9WBq6QrslFXrl76N4MgY40v3LeHW4w\",
\"state\": \"CfDJ8A54aiN-IdtIpcL6PAgpJbOn0XeMop9RKInYCbgTcAxYu2fkXOF7qQrgD8XAilOa4LsQSm7kC40OxybIKAnhMWS3EY_4bHadBJ8yMwUFhNbAB5p6AAggJi_Jvm7ewcoRG_gi0xshxzZ9df4aAemnJpDl0KePcJIq1E-SCH9LTVkh\",
\"x-client-SKU\": \"ID_NET\",
\"x-client-ver\": \"2.1.4.0\"
}
}" (8a893fca)
Upvotes: 1
Related Questions
- Logging out not working - Asp.net core identity server
- logout redirect url for microsoft identity provider and .net core (5) MVC
- .NET Core MVC with IdentityServer4 login not working
- ASP NET CORE Identity redirecting to Access Denied when logout
- IdentityServer4 - Redirect to MVC client after Logout
- Identity Server 4 Post Logout URL Null
- Identity Server 4 : Proper logout from MVC Client
- IdentityServer4 + ASP.Net Core Identity Signout from Client does not logout on ID4
- asp.net mvc login from identityserver4 with a invalid_request error
- IdentityServer4 Handling Logout Correctly