Activities of "ademaygun"

Hi, I found the solution; I set the 'Front Channel Logout URI' value to https://account.abc.com/account/logout, and my problem was resolved. However, if I upgrade my abp project to v.6+, it seems that you don't have such a solution in your OpenID Connect configuration

Hi, We have two separate projects on the same codebase. The first project needs to work with local login, while the second one needs to use external provider. Therefore, we need two identity servers. Currently, when we log out from the Angular UI (authorization code flow), it logouts from our project, but not from the external provider.

hi, Do you have any other suggestions?

hi, If https://test-ffe-api.xxx.com has logged out, I tried to manually invoke the connect/endsession endpoint with the code below, but couldn't succeed. I think I need to call the connect/endSession endpoint with a similar code?

options.Events = new OpenIdConnectEvents // required for single sign out
                {
                    OnRedirectToIdentityProviderForSignOut = async (context) => { var client = new HttpClient(); await client.GetAsync($"{configuration["ExternalProvider:Authority"]}/connect/endsession?id_token_hint={await context.HttpContext.GetTokenAsync("id_token")}&post_logout_redirect_uri={configuration["Abp:SelfUrl"]}"); }
                };

Hi, It's a business (product owner) decision

Hi Maliming, steps:

• Click login button on online.abc.com
• It redirects to account.abc.com login page (https://account.abc.com/Account/Login?ReturnUrl=/connect/authorize/callback?client_id=A_App&redirect_uri=https://online-api.abc.com/signin-oidc&response_type=code id_token&scope=openid profile role email phone&response_mode=form_post (url is decoded)
• I logged in and it redirects me to online.abc.com (logged in)
• when click logout button and it redirects online-api.abc.com(Signed out , You have been signed out and you will be redirected soon, Click here to return application)
• It redirects to online.abc.com (logged out)
• I click login button again
• It redirects me to account.abc.com, but redirects me again to online.abc.com without asking for my username/password on the login page

Hi, I just realized that xyz.com comes to us with the following link:

https://account.abc.com/connect/endsession?post_logout_redirect_uri=https://xyz.com&client_id=Xyz_App

I customized the code as follows:

public async Task InvokeAsync(HttpContext context)
    {
        if (context.Request.Path.StartsWithSegments("/connect/endsession"))
        {
            var postLogoutRedirectUri = context.Request.Query["post_logout_redirect_uri"].ToString();
            var clientId = context.Request.Query["client_id"].ToString();

            var redirectUrl = $"/Account/LoggedOut?PostLogoutRedirectUri={postLogoutRedirectUri}&ClientName={clientId}";

            context.Response.Redirect(redirectUrl);
            return;
        }

        await _next(context);
    }

Thank you for your response.I have resolved my issue. However, I need to mention the following as well:

• The Abp framework should handle a standard link like the one mentioned above (connect/endsession).
• It redirects regardless of what we send to the redirect URL; it does not perform any checks (It might be a bug)

EDIT (2024-08-01):

The client application was not sending the id_token_hint during the invocation of /connect/endsession. Therefore, we removed the custom middleware. The system is now functioning in compliance with the standard

Hi Liangshiwei,

The logout redirect URLs are already defined; however, if the logout URL is as follows, it does not perform any redirection

https://account.abc.com/Account/LoggedOut?ClientName=Abc_App&post_logout_redirect_uri=https%3A%2F%2Fxyz.com&Culture=en&UICulture=en&PageContext=Microsoft.AspNetCore.Mvc.RazorPages.PageContext

If the link is in the following format, it successfully redirects:

https://account.abc.com/Account/LoggedOut?ClientName=Abc_App&PostLogoutRedirectUri=https%3A%2F%2Fxyz.com&Culture=en&UICulture=en&PageContext=Microsoft.AspNetCore.Mvc.RazorPages.PageContext

Note: This issue is not reflected in the logs

Hi liangshiwei, Thanks for your support

I added this lines

# Install Node.js and NPM
RUN apt-get update && \
    apt-get install -y nodejs npm && \
    rm -rf /var/lib/apt/lists/*

I am getting these warnings again this time.

# 13 45.89 npm WARN deprecated fsevents@1.2.9: The v1 package contains DANGEROUS / INSECURE binaries. Upgrade to safe fsevents v2
# 13 49.76 npm WARN deprecated cuid@2.1.8: Cuid and other k-sortable and non-cryptographic ids (Ulid, ObjectId, KSUID, all UUIDs) are all insecure. Use @paralleldrive/cuid2 instead.
# 13 51.89 npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix# deprecated
# 13 51.90 npm WARN deprecated source-map-url@0.4.0: See https://github.com/lydell/source-map-url# deprecated
# 13 51.94 npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url# deprecated
# 13 52.12 npm WARN deprecated set-value@0.4.3: Critical bug fixed in v3.0.1, please upgrade to the latest version.
# 13 52.16 npm WARN deprecated set-value@2.0.0: Critical bug fixed in v3.0.1, please upgrade to the latest version.
# 13 52.25 npm WARN deprecated mixin-deep@1.3.1: Critical bug fixed in v2.0.1, please upgrade to the latest version.
# 13 52.31 npm WARN deprecated source-map-resolve@0.5.1: See https://github.com/lydell/source-map-resolve# deprecated
# 13 52.39 npm WARN deprecated ini@1.3.5: Please update to ini >=1.3.6 to avoid a prototype pollution issue
# 13 53.61 npm WARN deprecated chokidar@2.1.6: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
# 13 55.12 npm WARN deprecated flag-icon-css@4.1.7: The project has been renamed to flag-icons

I'm not getting errors anymore, but what should I do to avoid receiving these warnings as well ?