使用 OIDC 身份验证方案注销 Blazor 应用程序
[英]Sign Out of a Blazor App using the OIDC Authentication Scheme
问题描述
We have a .NET Core 6 Blazor Server App.
我们有一个 .NET Core 6 Blazor Server App。 We login with our own Identity Provider using OIDC.我们使用 OIDC 使用我们自己的身份提供者登录。 We are having an issue signing out.我们在注销时遇到问题。
We have set up our authentication using the following code block.我们使用以下代码块设置了身份验证。
builder.Services
.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddCookie()
.AddOpenIdConnect(opts => {
opts.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
opts.RequireHttpsMetadata = !isDebug;
opts.ClientId = "user-accounts-app";
opts.CallbackPath = "/signin-oidc";
opts.ResponseType = OpenIdConnectResponseType.Code;
opts.Authority = authority;
opts.ClientSecret = builder.Configuration["CLIENT_SECRET"];
var scopes = new List<string>() {
"openid", "profile", "email", "phone", "offline_access"
};
foreach(var s in scopes)
{
opts.Scope.Add(s);
}
});
The discovery document does include an end_session_endpoint ;发现文档确实包含一个end_session_endpoint ; however, the endpoint is never hit.但是,端点永远不会被击中。 We attempt to signout from a razor page with我们尝试从 razor 页面注销
await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
// This line does not work
await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme, new AuthenticationProperties
{
RedirectUri = "http://mydomainhere.com/our/path/here",
});
Running that 2nd SignOutAsync seems to do nothing.运行第二个SignOutAsync似乎什么都不做。 The Identity Provider is not hit at the end session endpoint and nothing happens on our logout page.在 session 端点末尾未命中身份提供者,我们的注销页面上没有任何反应。 Our session is not cleared from the IDP.我们的 session 没有从 IDP 中清除。
Additionally, our cookies for the blazor app are not entirely cleared.此外,我们的 blazor 应用程序的 cookies 并未完全清除。 We have a ton of lingering .AspNetCorrelation.hash<hash-here> with path /signin-oidc (tried to get a screenshot but SO is having server errors with those right now).我们有大量挥之不去的.AspNetCorrelation.hash<hash-here>路径/signin-oidc (试图获取屏幕截图,但现在服务器出现错误)。 But the.AspNetCore cookie is cleared successfully by the first SignOutAsync call.但是第一次SignOutAsync调用成功清除了 .AspNetCore cookie。
I'm not sure what the behavior of the second SignOutAsync is supposed to be.我不确定第二个 SignOutAsync 的行为应该是什么。 Would it redirect the user to the logout url of the IDP?它会将用户重定向到 IDP 的注销 url 吗? Or does it do that in the background?还是它在后台执行此操作? Are we missing some configuration in our call to AddOpenIdConnect() to handle sign out?我们是否在调用AddOpenIdConnect()以处理注销时缺少某些配置?
1 个解决方案
解决方案1
0 已采纳 2023-01-30 16:51:49
Looks like we were just missing an OIDC sign out scheme.看起来我们只是缺少 OIDC 注销方案。
opts.SignOutScheme = OpenIdConnectDefaults.AuthenticationScheme;
This is all we needed to get it working.这就是我们让它工作所需的一切。
ASP.net will use the sign in scheme if no sign out scheme is specified.如果没有指定退出方案,ASP.net 将使用登录方案。 The sign in scheme is cookie which is a bit misleading because the OpenID authority is actually the one you're signed into.登录方案是 cookie,这有点误导,因为 OpenID 机构实际上是您登录的机构。 Signing in leads to the cookie being created to store the auth token provided by that authority (so you are effectively signed into the client app).登录会导致创建 cookie 以存储该机构提供的身份验证令牌(因此您可以有效地登录到客户端应用程序)。 If you sign out with a cookie scheme then only the cookie is destroyed -- you are signed out of the client, but not the authority.如果您使用 cookie 方案注销,则只会销毁 cookie——您将退出客户端,但不会退出权限。 The next time you come to a page, you just get a new cookie because you're already signed into the authority.下次你来到一个页面时,你只会得到一个新的 cookie,因为你已经登录了授权。
The sign out scheme above therefore signs out of the authority, not just the client.因此,上面的注销方案注销了权限,而不仅仅是客户端。 I'm not sure if my colleague who figured it out also added a step of removing the cookie.我不确定弄清楚的同事是否也添加了删除cookie的步骤。 I will edit this with details if I find out they did or not.如果我发现他们这样做了,我会用细节来编辑它。 It may somehow be magically handled by the asp framework.它可能以某种方式被 asp 框架神奇地处理。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.