SimpleIdServer icon indicating copy to clipboard operation
SimpleIdServer copied to clipboard
verified publisher icon simpleidserver

Problem with logout when using a relative path

Open HappyRoot opened this issue 8 months ago • 2 comments

Hello, An issue has been identified in the logout functionality when a relative path is specified (e.g., https://{host}/staging/identity). The problem occurs in the EndSession method of the CheckSessionController.

....
 if (Request.QueryString.HasValue)
 {
     url = Request.GetEncodedPathAndQuery().Replace($"/{Config.DefaultEndpoints.EndSession}", $"/{Config.DefaultEndpoints.EndSessionCallback}");
 }
....
var authenticatedUser = await _authenticationHelper.GetUserByLogin(subject, prefix, cancellationToken);
if(!frontChannelLogouts.Any() && !validationResult.Client.RedirectToRevokeSessionUI)
{
    var issuer = Request.GetAbsoluteUriWithVirtualPath();
    return Redirect($"{issuer}{url}");
}

Redirect -> https://{host}/staging/identity/staging/identity/end_session_callback Further details will be added if additional findings emerge.

HappyRoot avatar Jun 06 '25 14:06 HappyRoot

The same problem was found in ResetController.

        // 4. Send the OTP code.
        var url = Url.Action("Confirm", "Reset", new
        {
            area = Constants.AreaPwd
        });
        var issuer = Request.GetAbsoluteUriWithVirtualPath();
....

HappyRoot avatar Jun 10 '25 12:06 HappyRoot

Hello, both issues have been fixed in the branch release/v6.0.3.

simpleidserver avatar Jun 10 '25 13:06 simpleidserver