1

I have a Identity Server 4 implementation in .Net core 3. And I also created 3 clients: Angular, .Net Core MVC (.Net Core 3.0) and .Net framework MVC (.Net framework 4.6.2).

The Angular and .Net Core MVC clients work without any problems but I have a problem with the .Net framework MVC client. It will not redirect back to the client from Identity Server.

.Net Framework MVC startup

private void ConfigureAuth(IAppBuilder app)
{
    app.UseCookieAuthentication(new CookieAuthenticationOptions {AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,});

    app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
    {
        AuthenticationType = OpenIdConnectAuthenticationDefaults.AuthenticationType,
        SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,

        Authority = "https://localhost:5001/",
        RequireHttpsMetadata = false,

        ResponseType = "id_token",

        RedirectUri = "https://localhost:44333/signin-oidc",
        PostLogoutRedirectUri = "https://localhost:44333/signout-callback-oidc",

        ClientId = "mvc-framework",
        SaveTokens = true
    });
}

Logout code:

[Authorize]
public ActionResult SignOut()
{
    HttpContext.GetOwinContext().Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType, OpenIdConnectAuthenticationDefaults.AuthenticationType);

    return RedirectToAction("Index", "Home");
}

Identity Server Setup:

internal static IServiceCollection AddConfiguredIdentityServer4InMemory(this IServiceCollection services, IConfiguration configuration, IWebHostEnvironment webHostingEnvironment)
{
    var builder = services.AddIdentityServer()
        .AddInMemoryIdentityResources(InMemoryData.GetIdentityResources())
        .AddInMemoryApiResources(InMemoryData.GetApiResources())
        .AddInMemoryClients(InMemoryData.GetClients())
        .AddTestUsers(InMemoryData.GetUsers());

    if (webHostingEnvironment.IsDevelopment())
        builder.AddDeveloperSigningCredential();
    else
        throw new Exception("need to configure key material"); //ToDo: work with certificate in key vault.

    return services;

}

Client configuration:

internal static IEnumerable<Client> GetClients()
{
    return new[]
    {
        // OpenID Connect implicit flow MVC .Net Framework client
        new Client
        {
            ClientId = "mvc-framework",
            ClientName = "MVC .Net Framework Client",
            AllowedGrantTypes = GrantTypes.Implicit,
            RequireConsent = false,

            // where to redirect to after login
            RedirectUris = { "https://localhost:44333/signin-oidc" },

            // where to redirect to after logout
            PostLogoutRedirectUris = { "https://localhost:44333/signout-callback-oidc" },

            // scopes
            AllowedScopes = new List<string> {IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile}
        },

        // OpenID Connect implicit flow MVC .Net Core client
        new Client
        {
            ClientId = "mvc-core",
            ClientName = "MVC .Net Core Client",
            AllowedGrantTypes = GrantTypes.Implicit,
            RequireConsent = false,

            // where to redirect to after login
            RedirectUris = { "https://localhost:5003/signin-oidc" },

            // where to redirect to after logout
            PostLogoutRedirectUris = { "https://localhost:5003/signout-callback-oidc" },
            AllowedScopes = new List<string> {IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile}
        },
        new Client
        {

            ClientId = "angular_spa",
            ClientName = "Angular SPA",
            AllowedGrantTypes = GrantTypes.Implicit,

            RequireConsent = false,

            // where to redirect to after login
            RedirectUris = { "http://localhost:4200/auth-callback" },

            // where to redirect to after logout
            PostLogoutRedirectUris = { "http://localhost:4200/" },

            // cors
            AllowedCorsOrigins = {"http://localhost:4200"},

            AllowedScopes = new List<string> {IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile}
        }
    };
}

Identity Server Account configuration:

public class AccountOptions
{
    public static bool AllowLocalLogin = true;
    public static bool AllowRememberLogin = true;
    public static TimeSpan RememberMeLoginDuration = TimeSpan.FromDays(30);

    public static bool ShowLogoutPrompt = false;
    public static bool AutomaticRedirectAfterSignOut = true;

    public static readonly string WindowsAuthenticationSchemeName = Microsoft.AspNetCore.Server.IISIntegration.IISDefaults.AuthenticationScheme;
    public static bool IncludeWindowsGroups = false;

    public static string InvalidCredentialsErrorMessage = "Invalid username or password";
}

When I use the .Net framework MVC client and logout I'm redirected to Identity Server and the user is logged out without a problem but my browser gets stuck on:

LogOut page of Identity Server

The PostLogoutRedirectUri is empty on the LoggedOutViewModel but I'm not sure why. Both other clients get redirect to after logout.

Any ideas why my .Net framework MVC (.Net framework 4.6.2) client does not get redirected to? or why its PostLogoutRedirectUri is empty on the LoggedOutViewModel?

Jayakumar Thangavel
  • 1,884
  • 1
  • 22
  • 29
Yvonne
  • 11
  • 2

1 Answers1

0

The IdentityServer needs the id_token in order to proceed with (automatic) redirect. Because this doesn't occur, it seems the id token is not present.

Take a look at the issue here for more information.

To solve it you'll have to include the token on logout:

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    Notifications = new OpenIdConnectAuthenticationNotifications
    {
        RedirectToIdentityProvider = n =>
        {
            // if signing out, add the id_token_hint
            if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
            {
                var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");

                    if (idTokenHint != null)
                        n.ProtocolMessage.IdTokenHint = idTokenHint.Value;

                    return Task.FromResult(0);
                }
            }
        }
    }
}

To enable automatic redirect take a look at my answer here.

  • Thank you for the response, I have added your code to my client but to no avail. I'm still not getting any url or automatic redirect from Identity Server 4. I think my problem is not the redirect but the fact the my PostLogoutRedirectUri null is in the LoggedOutViewModel. But I set this url in the configuration of Identity Server and I also sent it them the client connects to it. – Yvonne Dec 11 '19 at 07:09