5

I am trying to set IdTokenHint when sending the sign out request. In the previous Microsoft.Owin.Security.OpenIdConnect middleware I would be able to set the id_token as a claim in the SecurityTokenValidated method using the SecurityTokenValidated notification by doing something like this: 

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    ...
    Notifications = new OpenIdConnectAuthenticationNotifications
    {
        //Perform claims transformation
        SecurityTokenValidated = async notification =>
        {
            ...
            notification.AuthenticationTicket.Identity.AddClaim(new Claim("id_token", notification.ProtocolMessage.IdToken));
        },
        RedirectToIdentityProvider = async n =>
        {
            if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
            {
                var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token").Value;
                n.ProtocolMessage.IdTokenHint = idTokenHint;
             }
         }
    }
}

With the new middleware Microsoft.AspNetCore.Authentication.OpenIdConnect (in ASP.NET Core RC2) I am having trouble trying to accomplish the same thing. I am assuming I should tap into the Events like so. 

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
    ...
    Events = new OpenIdConnectEvents()
    {
         OnTokenValidated = context =>
         {
             ...
             context.SecurityToken.Payload.AddClaim(new Claim("id_token", context.ProtocolMessage.IdToken));
          },
          OnRedirectToIdentityProviderForSignOut = context =>
          {
                var idTokenHint = context.HttpContext.User.FindFirst("id_token").Value;
                context.ProtocolMessage.IdTokenHint = idTokenHint;
        }
     }
 }

The problem I'm seeing is that the claims do not remain on the SecurityToken and don't get set on the HttpContext.User. What am I missing?

LukeP
  • 1,505
  • 1
  • 16
  • 25
  • 3
    IIRC the OIDC middleware sends it automatically. – Brock Allen Jun 01 '16 at 20:17
  • You are correct, it looks like it is including the `idTokenHint` on the logout request automatically. I'm not sure how I missed it the first time around! I am curious how claims transformation works in the new OIDC middleware though. – LukeP Jun 01 '16 at 20:41
  • Claims transformation is also built-in as a middleware. It's quite easy. – Brock Allen Jun 02 '16 at 15:26
  • 2
    @BrockAllen Hi! I am facing the same issue with .Net Core. Although I am using _OnRedirectToIdentityProviderForSignOut_ event, _n.ProtocolMessage.RequestType_ remains _Authentication_ and I can't find _"id_token"_ claim. Could you please let me know what could be wrong here? – Aparna Gadgil Aug 20 '19 at 10:45
  • I've got the same problem/question as @AparnaGadgil – johey May 07 '20 at 14:18
  • It wont be a claim if i remember properly. Try `context.Properties.GetTokenValue("id_token")` – LukeP May 07 '20 at 15:59

1 Answers1

2

Regarding your code above, at least in version 2.1 of ASP.NET Core, the ID token can be accessed via context.Properties.GetTokenValue(...) (rather than as a user claim).

And, as Brock Allen said in a comment to your question, the OpenIdConnectHandler will automatically include the idTokenHint on sign out. However, and this bit me for a few hours today, when the handler processes the sign-in callback, it will only save the tokens for later if OpenIdConnectOptions.SaveTokens is set to true. The default is false, i.e., the tokens are no longer available when you do the sign-out.

So, if SaveTokens is true, the handler will automatically include the idTokenHint on logout, and you can also manually access the id token via context.Properties.GetTokenValue(...).

Fabian Schmied
  • 3,885
  • 3
  • 30
  • 49