0

Here I want to achieve the SSO feature. if I logout from Identity server all clients connected to that with that userid should be logged out. But it is working for me.

I am using Identity Server Version="4.0.0"

I have setup the IDS clients , UI templates for loggedout, MVC client as below. But it is not signout from all clients.

new Client
    {
        ClientId = "testmvc",

        AllowedGrantTypes = GrantTypes.Code,
        
       
        // secret for authentication
        ClientSecrets =
        {
            new Secret("Secret".Sha256())
        },

        AllowOfflineAccess = true,

        // scopes that client has access to
        AllowedScopes = new List<string>
        {
            IdentityServerConstants.StandardScopes.OpenId,
            IdentityServerConstants.StandardScopes.Profile,
            IdentityServerConstants.StandardScopes.Address,
            "roles"
        },

        // where to redirect to after login
        RedirectUris = { "https://localhost:5002/signin-oidc" },
        
        

        // where to redirect to after logout
        PostLogoutRedirectUris = { "https://localhost:5002/signout-callback-oidc" },
        

        FrontChannelLogoutUri  = "https://localhost:5002/home/frontchannellogout" ,
        
    }

In MVC client I have created two logouts

//UI Logout
public async Task<IActionResult> Logout()
        {

            var client = _httpClientFactory.CreateClient("IDPClient");

            var discoveryDocumentResponse = await client.GetDiscoveryDocumentAsync();
            if (discoveryDocumentResponse.IsError)
            {
                throw new Exception(discoveryDocumentResponse.Error);
            }

            var accessTokenRevocationResponse = await client.RevokeTokenAsync(
                new TokenRevocationRequest
                {
                    Address = discoveryDocumentResponse.RevocationEndpoint,
                    ClientId = "testmvc",
                    ClientSecret = "Secret",
                    Token = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken)
                });

            if (accessTokenRevocationResponse.IsError)
            {
                throw new Exception(accessTokenRevocationResponse.Error);
            }
            
            await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
            await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
            
            return Redirect(discoveryDocumentResponse.EndSessionEndpoint);
        }

//Front channel logout
            public async Task<IActionResult> FrontChannelLogout(string sid)
            {
                if (User.Identity.IsAuthenticated)
                {
                    var currentSid = User.FindFirst("sid")?.Value ?? "";
                    if (string.Equals(currentSid, sid, StringComparison.Ordinal))
                    {
                        await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
                    }
    
                }
    
                return NoContent();
            }
leo
  • 451
  • 1
  • 3
  • 12

1 Answers1

0

In the Logout method, you are signing out from both auth schemes (Cookies and OIDC), whereas in FrontChannelLogout you seem to be signing out only from the Cookies scheme. Isn't that the problem?

Either way, please try to define the methods like below, and check if the corresponding OIDC logout endpoint is called.

public async Task Logout()
{
    // ...
    await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
    await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
}

public async Task FrontChannelLogout(string sid)
{
    if (User.Identity.IsAuthenticated)
    {
        //...
            await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
            await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
    }
}
nunohpinheiro
  • 2,169
  • 13
  • 14
  • I used below blog to implement logout from all clients https://andersonnjen.com/2019/03/22/identityserver4-global-logout/ In UI Logout , its clearing both so already logout from the Identity Server. But noticed that FrontChannelLogout() is not being called. So that is not the issue. – leo Feb 19 '21 at 03:17
  • Ok, I updated the answer accordingly just now – nunohpinheiro Feb 19 '21 at 18:54
  • The actual problem is FrontChannelLogout is not being called. Can you help me to identify why it is being called. – leo Feb 22 '21 at 03:07
  • I have uploaded the identity server logout session values. I modified the function as mentioned but FrontChannelLogout is not calling. Please check. – leo Feb 24 '21 at 12:43
  • I am not sure if I understood your problem, but your FrontChannelLogout action has to be called by your app, for example with a Sign Out button or something like that... You have to call that action explicitly. Then, the SignOutAsync methods will process the sign out according to your configuration (presumably, you set that in your Startup) – nunohpinheiro Feb 25 '21 at 20:12
  • Thanks for your comment. Do you have any example regarding the scenario you mentioned. Did you find any issue while implementing the below link for Single sign out https://andersonnjen.com/2019/03/22/identityserver4-global-logout/ – leo Mar 01 '21 at 02:53
  • I never implemented like that example. In the company I work, we implemented it like I showed in the answer – nunohpinheiro Mar 01 '21 at 07:59