6

Identity Server is working as expected. I can log user in and log user out. However the PostLogoutRedirectUri property on LogoutRequest object is always coming back as null.

My SPA client configuration:

    {
        ClientId = "pokemon",
        ClientName = "Angular Pokemon Client",
    
        AllowedGrantTypes = GrantTypes.Code,
        RequireClientSecret = false,
        RedirectUris =           { "http://localhost:4200/login" },
        PostLogoutRedirectUris = { "http://localhost:4200" },
        AllowedCorsOrigins =     { "http://localhost:4200" },
        AllowOfflineAccess = true,
        AllowAccessTokensViaBrowser = true,
        AllowRememberConsent = false,
        RequireConsent = true,
    
         AllowedScopes = 
         {
             IdentityServerConstants.StandardScopes.OpenId,
             IdentityServerConstants.StandardScopes.Profile,
             "scope1"
         }
}

The settings for AccountOptions object are:

public static bool AllowLocalLogin = true;
public static bool AllowRememberLogin = true;
/.../
public static bool ShowLogoutPrompt = false;
public static bool AutomaticRedirectAfterSignOut = true;

Then on the client I am using the oidc-client library. I have the following settings configured:

const settings = {
      authority: "https://localhost:5001",
      client_id: "pokemon",
      redirect_uri: "http://localhost:4200/login",
      response_type: "code",
      scope:"openid profile scope1",
      userStore: new WebStorageStateStore({ store: window.localStorage })
    }

I have tried with post_logout_redirect_uri value and without. Same result.

The way I make the logout request is this.mgr.signoutRedirect(). I have also tried with adding this.mgr.signoutRedirect({ id_token_hint: user.id_token }) but got same result.

The first request going out of my client to the IdP has the following URL

https://localhost:5001/connect/endsession?id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6IjhEQTE2MDdBRTE2NzJGODQ3RkU2NkE2MUI2NEFGM0IxIiwidHlwIjoiSldUIn0.eyJuYmYiOjE2MDE1ODMxODQsImV4cCI6MTYwMTU4MzQ4NCwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMSIsImF1ZCI6InBva2Vtb24iLCJpYXQiOjE2MDE1ODMxODQsImF0X2hhc2giOiJRajc0Z1Z6VGc5WUd3OGVhaTlKWDhRIiwic19oYXNoIjoiM1k2NGtROVFsY2d3Q0VUSGpMT1RDQSIsInNpZCI6IkRFQkFERTA1Njg5RTk1RDY0NUQwNUJGOTkyREJCRTBDIiwic3ViIjoiYWxpY2UiLCJhdXRoX3RpbWUiOjE2MDE1ODMxNjIsImlkcCI6ImxvY2FsIiwiYW1yIjpbInB3ZCJdfQ.xpQo3SFT_Pc4LDtXPHWEETkweLmevUQvPj_84EC98s8qy272mb1dIc3rsIxpHvmBy6f4kI3z4CRs0w6fZmLGyWtZCYCcM6RJhKyGIz_epr-s_ZfZ7XE9Fwvy2FWFZ_HL0SgqLyUCwxKyel0GnzgEmHqcgIbKrK-3KAsVVuNKbXfEwCE-HsVv0OPssAmWvqRdN61ZtbIst4LP6TISkTvlP8HNZozlpbVawGjRPeubyImoYCZgPDVBYI3Ml_xtmSRITdIcTT9S8JmGL4sBIzNXW2ChOTuMvcEkix2lmPH1e9orFA2QOdGgeHylv6sza5ukHR6HTIF9ypoMon-ycNBPJw

Then the second request is fired

https://localhost:5001/Account/Logout?logoutId=CfDJ8CU-F4FvYn9IkMAT1M74c9qWz8pFpIUH_9uKhIkfUFRQKmkVvPVyRNSRpMnTTQ2ZjIqEqFONFzQ6334fLzoKrrUoxjfnIEXYONgXLCnB3IL0OGjaQcP2WIeX-u7UAx_7LIs-DRvGiDEsgnrfhveZknsDPPcJvediQ3viec63gA9EGo5g467Hcd_JClsdikFAd3j2daTxAdVvhmzmjW60ghfibOnsERghDz3FuuX0vDMjBo5JsRyFQeM78BNnvHkoMOIunz2m4RpJLHHzApRxz0Dofl3Oa9JsVxISGevK02Be1W0oTp1eUh_Yb2a6rMYmkhR2vUg4_MazHi61NI5Lvg1X2gn8x3HR2SiKO6-BEiNK07Mt1poyky4A31DcIQiJKQ

On the Identity Server provider, looking at the logs, there are no errors or warning. This code then gets executed:

// get context information (client name, post logout redirect URI and iframe for federated signout)
var logout = await _interaction.GetLogoutContextAsync(logoutId);

var vm = new LoggedOutViewModel
{
    AutomaticRedirectAfterSignOut = AccountOptions.AutomaticRedirectAfterSignOut,
    PostLogoutRedirectUri = logout?.PostLogoutRedirectUri,
    ClientName = string.IsNullOrEmpty(logout?.ClientName) ? logout?.ClientId : logout?.ClientName,
    SignOutIframeUrl = logout?.SignOutIFrameUrl,
    LogoutId = logoutId
};

and logout?.PostLogoutRedirectUri is always returning null. logoutId has a value. Inspecting source code for GetLogoutContextAsync seems to simply take the logoutId and deserialize it in Message object.

When I manually change PostLogoutRedirectUri to http://localhost:4200 it works. Any ideas why it keeps returning null?

O.MeeKoh
  • 1,976
  • 3
  • 24
  • 53
  • what was original value u used for `post_logout_redirect_uri`? – nahidf Oct 02 '20 at 04:16
  • You're using a framework to create the logoutId. It probably creates the PostLogoutRedirectUrl in this format "https://localhost:4200/signout-callback-oidc". The postLogout in the IdentityServer config is imo just a list of "allowed" redirects. If you allow "https://localhost:4200", but the actual value has the signout suffix, it returns null. But I'm not sure. – Heinzlmaen Mar 01 '21 at 15:34

2 Answers2

0

In the logout function on the client side, use the following :-

this._userManager.signoutRedirect({'id_token_hint' : this._user.id_token});

where _user is the returned "User" object. Please refer IdentityServer4 logout as the resolution already exists.

Also, go to the identity server log and check if you get a similar log and observe the call to the session endpoint (the ClientId and the "PostLogOutUri" is null apart from other parameters)

Simas Joneliunas
  • 2,890
  • 20
  • 28
  • 35
Jhilmil Basu
  • 1
  • 1
  • 2
0

Go through the warning log message where the sign out request started. The log are useful when debug the issues.

Example warning message appear for my case:

[17:21:57 WRN] Invalid PostLogoutRedirectUri: https://localhost:5511/authentication/logout-callback

The problem encountered here is the redirect uri saved in db has an empty sapce infront causing the PostLogoutRedirectUri was invalid and return null. Just need to remove the empty space for the uri, the problem solved.

steamb
  • 81
  • 1
  • 7