Comments (12)
@deastr The sign-out standard was still being developed when Katana released.
You primarily need to clear auth cookies and any Session contents.
from aspnetkatana.
Katana does not implement /signout-oidc
, that was first implemented in ASP.NET Core.
aspnet/Security@d6763bd
from aspnetkatana.
@Tratcher : Thank you. I'm just curious why was signin-oidc was implemented but not signout-oidc?
Also do I need an additional step for signouts on WebForms other than /connect/endsession/callback
? IdentityServer3 defines a SignoutCleanup process but do you reckon it's needed?
from aspnetkatana.
The Problem is that it is not possible to identity the current user, because the signout callback is done on an iframe. so the auth cookie will not be send reliable (only if 3rd Party Cookies are allowed, or the IdServer is in the trusted sites on IE). But with no Cookie, it is not possible to check if the signout request ist Valid. So how to do this?
from aspnetkatana.
@DerAlbertCom If that's true then the spec itself is flawed. Do you have this problem in other browsers?
from aspnetkatana.
@Tratcher yes, the openid spec is flawed in my opinion, for GET based sign outs. Maybe that's the reason that there is also a backchannel signout specified.
Modern browser don't send 3rd party cookies to avoid tracking. So if the Identity Provider (like IdentityServer3/4) is running on a different Domain, and is trying to log out the client it is done via a simple iframe which calls the signout uri. No cookie is send in that case.
In IE you can add the Identity Provider Uri to the trusted sites (possible in Company Environments) and in Firefox and Chrome you can allow 3rd Party Cookies. Then it works as expected. But as a developer I have no impact on that.
from aspnetkatana.
from aspnetkatana.
@DerAlbertCom @Tratcher what kind of feedback are you looking for here?
Think we should ping Mike Jones?
from aspnetkatana.
Yes, please
from aspnetkatana.
@Tratcher done.
from aspnetkatana.
The sid=5f5617803ca616c7cb247d2d30f178af parameter enables you to identify the user. Match the sid value with the "sid" claim in the ID Token that was sent at login time. That way, you can sign out only that user. Alternatively, some implementations ignore the "sid" and sign out all users upon receiving the front-channel logout message.
from aspnetkatana.
@selfissued it is not possible to verify the user because no cookie get sent (on different domains then the OP) which allows to identify the user, login out regardless of the sid is a great possibility for a Denial of Service.
@brentschmaltz the feedback i'm looking is a possibility to log the user securely logout. But this seems not possible with OpenId Connect Front Channel Logout.
Sorry, i'm on vacation, so this answer took awhile
from aspnetkatana.
Related Issues (20)
- ClockSkew Ignored by OAuthBearerAuthenticationHandler HOT 2
- Requests are run on IOCP threads by default in OwinHttpListener HOT 5
- Attempt to access method System.Management.Instrumentation.InstrumentedAttribute..ctor(System.String) in violation of security transparency rules failed. HOT 2
- Question: Why does the 4.2.2 package specifically require .NET Framework 4.5? HOT 2
- System.NullReferenceException: Object reference not set to an instance of an object HOT 9
- App redirects to different Auth Type refresh token URL. HOT 4
- Strange behavior on port 50000 for Owin self hosting.... HOT 8
- OpenIdConnectProtocolValidator cannot validate state HOT 4
- Should OIDC middleware be refreshing a `code id_token` when close to expiry? HOT 3
- Session in ASP.NET WebForm is cleared after authenticated by Entra ID with CookieAuthentication and WsFederationAuthentication HOT 2
- Always a object reference error when trying to host a webapi in owin self hosted HOT 3
- owin.RequestId always empty guid string HOT 3
- Microsoft.Owin.Security.WsFederation has a vulnerable Newtonsoft.Json package dependency HOT 10
- how do you remove additional query parameters HOT 1
- Migrate to 1ES pipelines HOT 2
- RedeemCode sends request from server HOT 2
- CHIPS: Need Partitioned flag for CookieOptions HOT 3
- Upgraded OWIN libraries from version 3.0.1 to 4.2.0 Http RequestUri is coming in capital later. HOT 1
- Odd DLL version numbering preventing debugging HOT 8
- IDX21329: RequireState is 'True' but the OpenIdConnectProtocolValidationContext.State is null. State cannot be validated.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aspnetkatana.