1

I have a ASP.NET MVC application with framework 4.7.2. The application is configured to use IdentityServer3 using OpenIDConnect. When user clicks on Logout button the following code is invoked

Action Method The logout action method get invoked first.

    [HttpPost]
    public ActionResult Logout()
    {
        Session.Clear();
        if (Request.IsAuthenticated)
        {
            Request.GetOwinContext().Authentication.SignOut();
        }            
        return Redirect("/");
    }

In Owin Startup.cs i have configured OpenIDConnect. The RedirectToIdentityProvider event fires next. Here, I am setting IdTokenHint when RequestType is Logout.

    public partial class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            var cookieOptions = new CookieAuthenticationOptions
            {
                AuthenticationType = "Cookies",
                LoginPath = new Microsoft.Owin.PathString("/Home"),
                SlidingExpiration = true,
                ExpireTimeSpan = GetCookieExpiration()
            };

        var openIdOptions = new OpenIdConnectAuthenticationOptions
        {
            Authority = ConfigurationManager.AppSettings["id:Authority"],
            Scope = "openid email profile",
            ClientId = "My ClientId",
            RedirectUri = "http://localhost:58641/Home",
            ResponseType = "id_token",
            SignInAsAuthenticationType = "Cookies",
            UseTokenLifetime = false,

            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                SecurityTokenValidated = (context) =>
                {
                    //code here removed for brevity 

                    return Task.FromResult(0);
                },

                RedirectToIdentityProvider = (context) =>
                {
                    if (context.ProtocolMessage.RequestType == Microsoft.IdentityModel.Protocols.OpenIdConnectRequestType.LogoutRequest)
                    {
                        var idTokenHint = context.OwinContext.Authentication.User.FindFirst("id_token").Value;
                        context.ProtocolMessage.IdTokenHint = idTokenHint;
                        
                    }
                    return Task.FromResult(0);
                }
            }
        };

        app.UseCookieAuthentication(cookieOptions);
        app.UseOpenIdConnectAuthentication(openIdOptions);

        MvcHandler.DisableMvcResponseHeader = true;            
    }

I fiddler i see it makes a call to

/identity/connect/endsession?id_token_hint= xxxxxxxx However, the HTTP Verb its using is OPTIONS. So the IdentityServer throws error The requested resource does not support http method 'OPTIONS'

enter image description here

Not sure what i am missing Here.

Edit 1

In browser console i see the following error

Access to XMLHttpRequest at 'https://localhost:44300/identity/connect/endsession?id_token_hint=xxxxxxx' (redirected from 'http://localhost:58641/account/logout') from origin 'http://localhost:58641' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Edit 2
I have another ASP.NET Application that has the same logout code. But its making GET request to endsession.

LP13
  • 30,567
  • 53
  • 217
  • 400
  • Have you changed the web.config file in the IdServer to allow OPTIONS method? Should have an entry like: – TejSoft Jul 23 '20 at 01:33
  • I think that would be a hack. The client should not not use `OPTIONS` verb in the first place. – LP13 Jul 26 '20 at 00:09

1 Answers1

0

When you see the use of OPTIONS and the request contains the origin header, then that is a CORS preflight request. This is an extra security request that occurs when a JavaScript client tries to make an AJAX request to an API.

Is this intended to trigger the endsession from JavaScript? if so, you need for that client in identityServer set:

AllowedCorsOrigins =
{
    "https://localhost:xxxxx"
},

This is set per client in IdentityServer.

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40