SimpleIdServer
SimpleIdServer copied to clipboard
Problem with logout when using a relative path
Hello, An issue has been identified in the logout functionality when a relative path is specified (e.g., https://{host}/staging/identity). The problem occurs in the EndSession method of the CheckSessionController.
....
if (Request.QueryString.HasValue)
{
url = Request.GetEncodedPathAndQuery().Replace($"/{Config.DefaultEndpoints.EndSession}", $"/{Config.DefaultEndpoints.EndSessionCallback}");
}
....
var authenticatedUser = await _authenticationHelper.GetUserByLogin(subject, prefix, cancellationToken);
if(!frontChannelLogouts.Any() && !validationResult.Client.RedirectToRevokeSessionUI)
{
var issuer = Request.GetAbsoluteUriWithVirtualPath();
return Redirect($"{issuer}{url}");
}
Redirect -> https://{host}/staging/identity/staging/identity/end_session_callback Further details will be added if additional findings emerge.
The same problem was found in ResetController.
// 4. Send the OTP code.
var url = Url.Action("Confirm", "Reset", new
{
area = Constants.AreaPwd
});
var issuer = Request.GetAbsoluteUriWithVirtualPath();
....
Hello, both issues have been fixed in the branch release/v6.0.3.