IdentityServer3 icon indicating copy to clipboard operation
IdentityServer3 copied to clipboard
verified publisher icon IdentityServer

External IDP Post Logout Redirect gets stuck

Open strtdusty opened this issue 9 years ago • 8 comments

  • [X ] I read and understood how to enable logging

Question / Issue

This is somewhat related to issue 2657 but not completely. I believe once that issue is resolved they will move on to this issue.

When logging out of a federated provider (AAD for me) you do not get redirected to the PostRedirectLogoutUri requested. You end up stopped on the ID3 logout view with no text or link to the redirect (those sections of the view model are null). Tracing it back, I am blaming the problem on prematurely removing the Signout Message Cookie.

1. The client application requests a logout by posting a request to the IS3 /endsession passing the redirect uri and the token hint.  
   The Signout Message Cookie is created and the browser is redirected to /logout
2. AuthenticationController.Logout(id) is called.  Internally IDS calls QueueRemovalOfSignOutMessageCookie().  
   The method completes and raises the logged out event.
3. The LoggedOutViewModel is constructed, but not actually used because we have not hit our callback and called RenderLoggedOutViewAsync
4. The Signout Message Cookie is deleted. :(
5. The user is redirected to the external provider's logout page.  
   The redirect passed here is to our callback (/signoutcallback).  
   We pull the signout message ID from a temporary cookie and call RenderLoggedOutViewAsync with that state.
6. AuthenticationController.Logout(id) is called a second time.  
   However, when reading the Signout Message Cookie nothing is found because it was deleted the first time through.  
   The logout view is rendered with a partial view model that does not contain any of the state from the Signout Message Cookie

My proposed solution is to protect the removal of the signout message cookie by changing the Logout method to only call it when it is actually time to render the logout view:

if (context.ShouldRenderLoggedOutPage()) { context.QueueRemovalOfSignOutMessageCookie(id); }

If this makes sense, I would be happy to create a fork/PR for review.

strtdusty avatar Mar 24 '16 19:03 strtdusty

The Signout Message Cookie is deleted

This only happens if the response status code is 200, so if you get redirected back to the IdP then the cookie is not removed. Am I missing something?

brockallen avatar Mar 30 '16 15:03 brockallen

It is entirely possible that I am missing something. The cookie is removed before redirecting to the IdP. So when you come back from the IdP there is no context/view model.

strtdusty avatar Mar 31 '16 04:03 strtdusty

Ok, I can see if I can repro.

brockallen avatar Mar 31 '16 13:03 brockallen

@brockallen I have a repo project available at https://github.com/strtdusty/IS3PostLogoutRedirectExample/

strtdusty avatar Apr 06 '16 16:04 strtdusty

Did the repo project work for you?

strtdusty avatar Apr 19 '16 14:04 strtdusty

I did not yet look at it.

brockallen avatar Apr 23 '16 19:04 brockallen

I think I have the same issue here

AliBazzi avatar Mar 27 '17 10:03 AliBazzi

I never looked into this, but I'll change it to a bug report. The real issue here is that we don't plan on any more enhancement to this project.

brockallen avatar Nov 04 '17 15:11 brockallen