IdentityServer4 PostLogoutRedirectUri null

2020-02-29 01:03发布

问题:

I am attempting to get the implicit flow working for IdentityServer4. Login and logout work correctly, however the PostLogoutRedirectUri is coming back null, despite setting the value where it needs to be set. What I would like is for the logout process to redirect back to my application after the logout is complete.

I am getting the logoutId correctly, and Logout calls BuildLoggedOutViewModelAsync:

[HttpPost]
    [ValidateAntiForgeryToken]
    public async Task<IActionResult> Logout(LogoutInputModel model)
    {
        var vm = await _account.BuildLoggedOutViewModelAsync(model.LogoutId);
...

This method is located in my AccountService.cs class, which then calls the GetLogoutContextAsync of the DefaultIdentityServiceInteractionService:

public async Task<LoggedOutViewModel> BuildLoggedOutViewModelAsync(string logoutId)
    {
        // get context information (client name, post logout redirect URI and iframe for federated signout)
        var logout = await _interaction.GetLogoutContextAsync(logoutId);
...

Which creates a IdentityServer4.Models.LogoutRequest.

The SignOutIFrameUrl string property is set to "http://localhost:5000/connect/endsession/callback?sid=bf112f7785bc860fcc4351893012622e&logoutId=d6649e7f818d9709b2c0bc659696abdf" but nothing else seems to have been populated in the LogoutRequest.

Unfortunately, this means that the PostLogoutRedirectUri is null and the AutomaticRedirectAfterSignOut is also null, and when the LoggedOut.cshtml page is loaded, the signout-callback.js file is never loaded:

@section scripts
{
    @if (Model.AutomaticRedirectAfterSignOut)
    {
        <script src="~/js/signout-redirect.js"></script>
    }
}

Here are my configuration settings.

Config.cs:

public static IEnumerable<Client> GetClients()
    {
        return new List<Client>
        {
            new Client
            {
                ClientId = "implicit.client",
                AllowedGrantTypes = GrantTypes.Implicit,
                AllowAccessTokensViaBrowser = true,
                AllowedScopes = 
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "ContractManagerAPI"
                },
                RedirectUris = { "http://localhost:9000/" },
                PostLogoutRedirectUris = { "http://localhost:9000/" },
                AllowedCorsOrigins = { "http://localhost:9000" },
                RequireConsent = false,

            }                
        };
    }

app.ts (js client):

import {UserManager} from 'oidc-client';
import { inject, Factory } from 'aurelia-framework';

@inject(Factory.of(UserManager))
export class App {
  userManager: UserManager;

  constructor(userManagerFactory){
    let config = {
      authority: 'http://localhost:5000',
      client_id: 'implicit.client',
      response_type: 'id_token token',
      scope: 'openid profile ContractManagerAPI',
      redirect_uri: 'http://localhost:9000/',
      post_logout_redirect_uri: 'http://localhost:9000/'
    };

    this.userManager = userManagerFactory(config);
  }

  login(){
    this.userManager.signinRedirect();
  }

  logout(){
    this.userManager.signoutRedirect();
  }
}

Relevant parts of Startup.cs:

services.AddIdentityServer()
                .AddTemporarySigningCredential()
                .AddInMemoryApiResources(Config.GetApiResources())
                .AddInMemoryClients(Config.GetClients())
                .AddInMemoryIdentityResources(Config.GetIdentityResources())
                .AddContractManagerUserStore()
                .AddProfileService<ContractManagerProfileService>();

Any assistance in figuring out where I'm going wrong would be greatly appreciated.

Thanks!

回答1:

pass id_token_hint arg to signoutRedirect()

you can get id_token_hint from the User object returned by signinRedirect();

so lets say you got a variable called "user" in your ts file that got set as a result of the user logging in via signinRedirect().

then you would do...

logout(){
    this.userManager.signoutRedirect({ 'id_token_hint': this.user.id_token });
}


回答2:

Make sure you have these settings properly configured:

public class AccountOptions
        {
            public static bool AllowLocalLogin = true;
            public static bool AllowRememberLogin = true;
            public static TimeSpan RememberMeLoginDuration = TimeSpan.FromDays(30);

            public static bool ShowLogoutPrompt = false;
            public static bool AutomaticRedirectAfterSignOut = true;

            public static bool WindowsAuthenticationEnabled = false;
            // specify the Windows authentication schemes you want to use for authentication
            public static readonly string[] WindowsAuthenticationSchemes = new string[] { "Negotiate", "NTLM" };
            public static readonly string WindowsAuthenticationDisplayName = "Windows";

            public static string InvalidCredentialsErrorMessage = "Invalid username or password";
        }


回答3:

Try configuring the LogoutUrl for the MVC client!



回答4:

I want to share my experience of solving issues with null PostLogoutRedirectUri value.

To initiate Logout process you must first call SignOut("Cookies", "oidc") on mvc client side. Otherwise you will have null logoutId value on Identity Server side. Example endpoint in my HomeController:

public IActionResult Logout()
{
    return SignOut("Cookies", "oidc");
}

I always had null PostLogoutRedirectUri value in logout context until I added SignInScheme value on mvc client side. These settings of authentication on MVC client side works for me:

var authenticationBuilder = services.AddAuthentication(options =>
{
    options.DefaultScheme = "Cookies";
    options.DefaultChallengeScheme = "oidc";
});

authenticationBuilder.AddCookie(options =>
{
    options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
    options.Cookie.Name = "identity_server_mvc";
});

authenticationBuilder.AddOpenIdConnect("oidc", options =>
{
    options.Authority = "{IDENTITY_SERVER_URL}";
    options.ClientId = "mvc";
    options.SaveTokens = true;
    options.SignInScheme = "Cookies";
});

You also need to make sure that you have added the PostLogoutRedirectUri value to the client configuration on the Identity Server side:

new Client
{
    ClientId = "mvc",
    AllowedGrantTypes = GrantTypes.Implicit,

    RedirectUris           = { "{CLIENT_URL}/signin-oidc" },
    PostLogoutRedirectUris = { "{CLIENT_URL}/signout-callback-oidc" },

    AllowedScopes =
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile
    }
}

Hope it helps!