/signout-oidc endpoint on ASP.NET WebForms client about aspnetkatana HOT 12 CLOSED

@deastr The sign-out standard was still being developed when Katana released.

You primarily need to clear auth cookies and any Session contents.

from aspnetkatana.

Katana does not implement /signout-oidc, that was first implemented in ASP.NET Core.
aspnet/Security@d6763bd

from aspnetkatana.

@Tratcher : Thank you. I'm just curious why was signin-oidc was implemented but not signout-oidc?

Also do I need an additional step for signouts on WebForms other than /connect/endsession/callback? IdentityServer3 defines a SignoutCleanup process but do you reckon it's needed?

from aspnetkatana.

The Problem is that it is not possible to identity the current user, because the signout callback is done on an iframe. so the auth cookie will not be send reliable (only if 3rd Party Cookies are allowed, or the IdServer is in the trusted sites on IE). But with no Cookie, it is not possible to check if the signout request ist Valid. So how to do this?

from aspnetkatana.

@DerAlbertCom If that's true then the spec itself is flawed. Do you have this problem in other browsers?

from aspnetkatana.

@Tratcher yes, the openid spec is flawed in my opinion, for GET based sign outs. Maybe that's the reason that there is also a backchannel signout specified.

Modern browser don't send 3rd party cookies to avoid tracking. So if the Identity Provider (like IdentityServer3/4) is running on a different Domain, and is trying to log out the client it is done via a simple iframe which calls the signout uri. No cookie is send in that case.

In IE you can add the Identity Provider Uri to the trusted sites (possible in Company Environments) and in Firefox and Chrome you can allow 3rd Party Cookies. Then it works as expected. But as a developer I have no impact on that.

from aspnetkatana.

@brentschmaltz ?

from aspnetkatana.

@DerAlbertCom @Tratcher what kind of feedback are you looking for here?
Think we should ping Mike Jones?

from aspnetkatana.

Yes, please

from aspnetkatana.

@Tratcher done.

from aspnetkatana.

The sid=5f5617803ca616c7cb247d2d30f178af parameter enables you to identify the user. Match the sid value with the "sid" claim in the ID Token that was sent at login time. That way, you can sign out only that user. Alternatively, some implementations ignore the "sid" and sign out all users upon receiving the front-channel logout message.

from aspnetkatana.

@selfissued it is not possible to verify the user because no cookie get sent (on different domains then the OP) which allows to identify the user, login out regardless of the sid is a great possibility for a Denial of Service.

@brentschmaltz the feedback i'm looking is a possibility to log the user securely logout. But this seems not possible with OpenId Connect Front Channel Logout.

Sorry, i'm on vacation, so this answer took awhile

from aspnetkatana.