5
  • Using Identity Server 4
  • Asp.Net Core MVC client successfully login

  • When logging out from client getting error on url https://identity.acme.com/connect/endsession.... (complete url listed below)

    "The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."

AccountController.Logout calls

await HttpContext.SignOutAsync("Cookies");
await HttpContext.SignOutAsync("oidc");

The Url in the browser is:

https://identity.acme.com/connect/endsession?post_logout_redirect_uri=https%3A%2F%2Fadmin.acme.com%2Fsignout-callback-oidc&id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6IkQ1NjY2RURGQjNFM0M3MDdCNkJCRUFCNEU3NTU3Q0NDNTNBOTc2Q0IiLCJ0eXAiOiJKV1QiLCJ4NXQiOiIxV1p1MzdQanh3ZTJ1LXEwNTFWOHpGT3Bkc3MifQ.eyJuYmYiOjE1MjM4NTI5NDMsImV4cCI6MTUyMzg1NjU0MywiaXNzIjoiaHR0cHM6Ly9pZGVudGl0eS50eXBzeS5jb20iLCJhdWQiOiJ0eXBzeS1pbmRpdmlkdWFsIiwibm9uY2UiOiI2MzY1OTQ0OTczMzc2OTAzMjQuTkRFME5EVXlORFF0WldOaU9TMDBOMkkzTFRrM01UY3RZVFl3WldRNVl6UmpObUk1WkRkaE5UUmtNVGN0WWpjM1lTMDBPVE16TFdFeU5tSXRZekpqWW1SaFptWTBPV1EzIiwiaWF0IjoxNTIzODUyOTQzLCJhdF9oYXNoIjoidkZacmdQUUI2UHd5VzBDeUhCV3QzdyIsInNpZCI6IjFlYjQxYzgwYjhmNGUxMTQ4MjViNDhiNmY4OWE1ZWY3Iiwic3ViIjoiYTAxNjI0MzAtZWIyMi00MTU0LWJmNTktMGJhNDliZmQ0NzNkIiwiYXV0aF90aW1lIjoxNTIzODUyOTQxLCJpZHAiOiJsb2NhbCIsIkFzcE5ldC5JZGVudGl0eS5TZWN1cml0eVN0YW1wIjoiMGM1YzQyNTQtOTM4NS00MWFiLWI5MTktNDFhZjgyOTFlNjljIiwiT3JnYW5pc2F0aW9uIjoiRmFuZXRpYyIsImdpdmVuX25hbWUiOiJKdXN0aW4iLCJmYW1pbHlfbmFtZSI6IkRyZXJ1cCIsInJvbGUiOlsiU3R1ZGVudCIsIkFkbWluaXN0cmF0b3IiLCJNYW5hZ2VyIiwiQWRtaW4iLCJUeXBzeS1PcmciXSwicHJlZmVycmVkX3VzZXJuYW1lIjoianVzdGluZEB0eXBzeS5jb20iLCJuYW1lIjoianVzdGluZEB0eXBzeS5jb20iLCJlbWFpbCI6Imp1c3RpbmRAdHlwc3kuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImFtciI6WyJwd2QiXX0.ifQJVB25rAB3HP30F9vtRvzLZ9dHjORHX7cKoG6SLLR3WqGzpoCkjnq10ijffjj2QbsvjxRPvsYPgbVxISwP04V79RFTHqZI7Z39vsBSZSGeJnkhQLXCvMs9i6F4-aiHR9dF3KTMCMOXFfiG0stG69vIMPckUHuTh5yT5a_nFSL4lebLb5AOpPHto8TtTy6SvFOGp7uyXw7d_KVQ3U9lo4RTYvPVePgq9bZf1DcaOL_gutj2EmHVrNc9kDIQRxK4rTbjx2kFrxD2LauEmh-OXTdzjOqtXLQF2jRwV4sGvPImiBOt75vLMlJJUP8B7sEm61bR50hfOqpycm46PO_awryxWGvqItjrYe8P0OQtuaQghCkesjToW4_OPHHQJIX2jXLN3i0SvfmPEB41pqmP73cKvCjMAMeCllfZ8pfRwzsbzvWKYZ2jZkF4CT6zQq4pEGblEl12yC-I59gqRYozhxz1hiPep4KkgHZ40VRjCR5LNu8Mmx2qp8B7xwyfzes1r7VnCeMJJd7LNqRRdE6mszj7vaZdvHb8n7UDud1hzktYLoVUENodCo4KrGuD7QwT28q8IK2sbtcK_98aLap2WeXcuDMsP5zbrGS2Vb3N4YezdqEU7YJjvk9tvdMdafTYe4LKNaq-cDHVnJh_pmXJsL6odwz9eXkddJBPzhHXf6M&state=CfDJ8Pr81inWVH5OlYUuWwOTfYygcAOv4qo4Jl03Su6yhd8WHQz8m-LK-vBDM8CjSBrqjNLz4Qdqx8759Wpts3AsgHnf997vKLyWqQSOgTQPOpy5qyouRMRmHEsk-h5BnQR4_SHIkzo5_kgJQ0xROmsqUD4Aq3o0zYd-rI-GYHiii7P_&x-client-SKU=ID_NET&x-client-ver=2.1.4.0

To the best of my knowledge this was working for many months. I can't see any change in the code that would have impacted this so suspect it is environmental.

I have turned on logging and the /connect/endsession doesn't even appear to be triggered. All other events are logged.

In development, it works and the logging shows the endpoint being called:

Endpoint enabled: "Endsession", successfully created handler: "IdentityServer4.Endpoints.EndSessionEndpoint"
Request path "/connect/endsession" matched to endpoint type "Endsession"

The client has the correct PostLogoutRedirectUris configured in IdentityServer4 Config.cs

PostLogoutRedirectUris =
                {
                    "https://admin.acme.com/signout-callback-oidc"
                },

Interestingly, if I manually edit the Url to remove the

post_logout_redirect_uri=https%3A%2F%2Fadmin.acme.com%2Fsignout-callback-oidc&

and submit then I'm successfully redirected to Identity Server to the LoggedOut page.

If I remove the

.AddOpenIdConnect("oidc", options =>
{
    options.SignedOutRedirectUri = "https://admin.acme.com";
}

from the startup.cs then I can successfully logout from the client (however there is no longer a redirect post logout)

Can anyone explain what is happening?

UPDATE - Is it a length of URL issue?

This makes me question if this is an issue with the server not accepting a long url?

Fanetic
  • 522
  • 5
  • 15
  • Exceeding a max URL length limit maybe? – mackie Apr 16 '18 at 10:44
  • Yes - I get your point! But why has this stopped working when it has been working for months? (ok, maybe there has been some update to the Azure environment which is enforcing this but I wan't to know if others are having this problem). – Fanetic Apr 16 '18 at 11:20
  • Limits like this in Azure are a well known issue. Is it possible that by pure (bad) luck your urls are now exceeding the limit when they weren't before? We worked around an issue similar to this (integrating with Azure AD) by storing state that otherwise would have been in the URL in a cookie instead. – mackie Apr 16 '18 at 15:08
  • I'm working on optimizing the size of my identity token as per this article - https://leastprivilege.com/2016/12/14/optimizing-identity-tokens-for-size/ - will post solution if I get it. – Fanetic Apr 16 '18 at 15:19
  • Please check it [https://stackoverflow.com/questions/11636386/how-to-configure-the-web-config-to-allow-requests-of-any-length](https://stackoverflow.com/questions/11636386/how-to-configure-the-web-config-to-allow-requests-of-any-length) – Caner Sep 23 '19 at 08:05

2 Answers2

6

Based on the debugging outlined in the question I determined this appeared to be an issue with Url length.

A positive outcome is that I had to dive much deeper into understanding how Identity Server works and I've managed to optimise the overall sign-on process and speed significantly as well as improve my overall implementation.

In summary - these are some of the changes I made:

Don't return 

IdentityServerConstants.StandardScopes.Profile

Set 

AlwaysIncludeUserClaimsInIdToken = false

and use

public async Task GetProfileDataAsync(ProfileDataRequestContext context)

to provide the claims you need (as well as not returning claims my client was not using)

Fanetic
  • 522
  • 5
  • 15
6

I'm doing tests with identity server 4 and asp.net core and face the same issue with the URL length. I found an alternative that could help. There is an option in AddOpenIdConnect() that you can set the method used to redirect the user agent to the identity provider. I set it to "FormPost" and now the request use POST instead of GET to call the endsession endpoint.

.AddOpenIdConnect("oidc", options =>
{   
     [...] 
     options.AuthenticationMethod = OpenIdConnectRedirectBehavior.FormPost;
}
Souza
  • 95
  • 1
  • 9
  • 1
    this is a better solution than the other. Indeed it solved my issue without removing claims, which at some point it could not be possible depending on the application. – Kat Lim Ruiz May 08 '20 at 22:06
  • Is there anything you need to setup for this to work? I added that option to our solution, but the querystring token is still there in the /connect/endsession – Jarrod McGuire Oct 28 '22 at 14:14
  • Here I just call HttpContext.SignOutAsync("oidc") in my Logout action. – Souza Oct 30 '22 at 19:28