Our company has custom-built Identity Server, which is used by a few of our web applications for authentication. I am trying to use our Identity Server with a newly created ASP.NET Core Web App, using the .NET 6 framework. I am trying to use the predefined OIDC URLs, without having to write the code myself.
The authentication is mostly working; for example, if I add [Authorize] to a certain Razor PageModel, it will automatically redirect to the Authority URL, and then return to that page upon authentication and be logged in.
What I am having trouble with is this: I cannot seem to get the automatic sign out to work. I am trying to use either of the predefined OIDC signout URLs (signout-oidc or signout-callback-oidc), but I seem to be missing something. I am also having trouble finding good sample code or clear documentation to help debug the issue.
I have also tried using OIDC events - for example "OnSignedOutCallbackRedirect":
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", async options =>
{
options.Authority = testIdentitySettings.Authority;
options.SignedOutRedirectUri = testIdentitySettings.SignedOutRedirectUri;
options.RequireHttpsMetadata = testIdentitySettings.RequireHttpsMetadata ?? true;
options.ClientId = testIdentitySettings.ClientId;
options.SignInScheme = "Cookies";
options.Scope.Add("roles");
options.SaveTokens = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
};
options.Events.OnSignedOutCallbackRedirect = async (context) =>
{
await context.HttpContext.SignOutAsync("Cookies");
var redirUrl = context.Options.SignedOutRedirectUri;
var prop = new AuthenticationProperties
{
RedirectUri = redirUrl
};
await context.HttpContext.SignOutAsync("oidc", prop);
context.Response.Redirect(redirUrl);
context.HandleResponse();
};
});
This almost seems to work. It does redirect to my SignedOutRedirectUri (/LoggedOut), and when I check the User on that page, the User.Identity shows IsAuthenticated = false, and has zero claims; however, if I then load the home page (/), the User.Identity is back as authenticated with all the claims.
Any help or insight would be appreciated.
CodePudding user response:
For the Logout example, you could refer to the code below.
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Auth0.AspNetCore.Authentication;
public class AccountController : Controller
{
[Authorize]
public async Task Logout()
{
var authenticationProperties = new LogoutAuthenticationPropertiesBuilder()
// Indicate here where Auth0 should redirect the user after a logout.
// Note that the resulting absolute Uri must be added to the
// **Allowed Logout URLs** settings for the app.
.WithRedirectUri(Url.Action("Index", "Home"))
.Build();
await HttpContext.SignOutAsync(Auth0Constants.AuthenticationScheme, authenticationProperties);
await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
}
}
Reference: Logout
If the issue persists, you could try to make tests with the code sample below to reduce the ExpireTimeSpan in the AddCookie configuration.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(/* ... */)
.AddCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(1);
});
// ...
}
For more detailed information, please refer to this answer.
CodePudding user response:
I would use this to do the signout:
[Authorize]
/// <summary>
/// Do the actual logout
/// </summary>
/// <returns></returns>
public async Task DoLogout()
{
await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
}
I don't think you need to use the OnSignedOutCallbackRedirect handler.