Activities of "ademaygun"
Hi,
I found the solution; I set the 'Front Channel Logout URI' value to https://account.abc.com/account/logout, and my problem was resolved.
However, if I upgrade my abp project to v.6+, it seems that you don't have such a solution in your OpenID Connect configuration
Hi, We have two separate projects on the same codebase. The first project needs to work with local login, while the second one needs to use external provider. Therefore, we need two identity servers. Currently, when we log out from the Angular UI (authorization code flow), it logouts from our project, but not from the external provider.
hi, Do you have any other suggestions?
hi, If https://test-ffe-api.xxx.com has logged out, I tried to manually invoke the connect/endsession endpoint with the code below, but couldn't succeed. I think I need to call the connect/endSession endpoint with a similar code?
options.Events = new OpenIdConnectEvents // required for single sign out
{
OnRedirectToIdentityProviderForSignOut = async (context) => { var client = new HttpClient(); await client.GetAsync($"{configuration["ExternalProvider:Authority"]}/connect/endsession?id_token_hint={await context.HttpContext.GetTokenAsync("id_token")}&post_logout_redirect_uri={configuration["Abp:SelfUrl"]}"); }
};
Hi, It's a business (product owner) decision
Hi Maliming, steps:
- Click login button on online.abc.com
- It redirects to account.abc.com login page (https://account.abc.com/Account/Login?ReturnUrl=/connect/authorize/callback?client_id=A_App&redirect_uri=https://online-api.abc.com/signin-oidc&response_type=code id_token&scope=openid profile role email phone&response_mode=form_post (url is decoded)
- I logged in and it redirects me to online.abc.com (logged in)
- when click logout button and it redirects online-api.abc.com(Signed out , You have been signed out and you will be redirected soon, Click here to return application)
- It redirects to online.abc.com (logged out)
- I click login button again
- It redirects me to account.abc.com, but redirects me again to online.abc.com without asking for my username/password on the login page
- ABP Framework version: v5.3.3
- UI Type: Angular
- Database System: EF Core
- Tiered (for MVC) or Auth Server Separated (for Angular): no
- Exception message and full stack trace:
- Steps to reproduce the issue:
I have an abp project consisting of the addresses https://online.abc.com (angular) and https://online-api.abc.com. Additionally, I have another abp project using https://account.abc.com as an external login. In other words, when a user wants to log in, they are redirected to https://account.abc.com and log in successfully. However, when they log out, the call to https://online-api.abc.com/connect/endsession is made for logout. Despite wanting to log out from https://account.abc.com as well (meaning, calling https://account.abc.com/connect/endsession), it doesn't log out. How can I achieve this?
online.abc.com HostModule : (Enable Local Login = false)
context.Services.AddAuthentication().AddAbpOpenIdConnect("oidc", options =>
{
options.Authority = configuration["ExternalProvider:Authority"];
options.RequireHttpsMetadata = Convert.ToBoolean(configuration["ExternalProvider:RequireHttpsMetadata"]); ;
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
options.ClientId = configuration["ExternalProvider:ClientId"];
options.ClientSecret = configuration["ExternalProvider:ClientSecret"];
options.UsePkce = true;
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("role");
options.Scope.Add("email");
options.Scope.Add("phone");
options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "sub");
});
Hi, I just realized that xyz.com comes to us with the following link:
https://account.abc.com/connect/endsession?post_logout_redirect_uri=https://xyz.com&client_id=Xyz_App
I customized the code as follows:
public async Task InvokeAsync(HttpContext context)
{
if (context.Request.Path.StartsWithSegments("/connect/endsession"))
{
var postLogoutRedirectUri = context.Request.Query["post_logout_redirect_uri"].ToString();
var clientId = context.Request.Query["client_id"].ToString();
var redirectUrl = $"/Account/LoggedOut?PostLogoutRedirectUri={postLogoutRedirectUri}&ClientName={clientId}";
context.Response.Redirect(redirectUrl);
return;
}
await _next(context);
}
Thank you for your response.I have resolved my issue. However, I need to mention the following as well:
- The Abp framework should handle a standard link like the one mentioned above (connect/endsession).
- It redirects regardless of what we send to the redirect URL; it does not perform any checks (It might be a bug)
EDIT (2024-08-01):
The client application was not sending the id_token_hint during the invocation of /connect/endsession. Therefore, we removed the custom middleware. The system is now functioning in compliance with the standard
Hi Liangshiwei,
The logout redirect URLs are already defined; however, if the logout URL is as follows, it does not perform any redirection
https://account.abc.com/Account/LoggedOut?ClientName=Abc_App&post_logout_redirect_uri=https%3A%2F%2Fxyz.com&Culture=en&UICulture=en&PageContext=Microsoft.AspNetCore.Mvc.RazorPages.PageContext
If the link is in the following format, it successfully redirects:
https://account.abc.com/Account/LoggedOut?ClientName=Abc_App&PostLogoutRedirectUri=https%3A%2F%2Fxyz.com&Culture=en&UICulture=en&PageContext=Microsoft.AspNetCore.Mvc.RazorPages.PageContext
Note: This issue is not reflected in the logs
- ABP Framework version: v5.3.3
- UI Type: Angular
- Database System: EF Core (SQL Server, Oracle, MySQL, PostgreSQL, etc..)
- Tiered (for MVC) or Auth Server Separated (for Angular): no
- Exception message and full stack trace:
- Steps to reproduce the issue:
I have an ABP project (account.abc.com), and another project (xyz.abc.com, not an ABP project) uses this project as an external login.
When we log out on xyz.abc.com, it sends post_logout_redirect_uri as a parameter, but the logout redirect is not working. I noticed that in my ABP projects, this parameter is sent as PostLogoutRedirectUri. I saw on the IDS page that it is used as post_logout_redirect_uri. We are unable to convince the team developing xyz.abc.com to make the change from post_logout_redirect_uri to PostLogoutRedirectUri.
In summary, even if post_logout_redirect_uri is sent as a parameter, how can we ensure that the logout process works?