IdentityServer4 + ASP.Net Core Identity 從客戶端注銷不會在 ID4 上注銷

Question

我使用 ID4 作為 OIDC 和 ASP.Net Core Identity 來管理用戶成員資格。 帶有 Pagemodel 的剃刀。 我有一個使用 SSO 正確登錄的測試客戶端。 在注銷時，它會注銷客戶端，但不會從 ID4 服務器注銷。

在注銷時，客戶端使用結束會話 url 重定向到我的 ID4 服務器。 它確實有提示令牌。 ID4 服務器確實顯示了注銷頁面，但它仍處於登錄狀態。我懷疑問題是我使用腳架式 ASP.Net Identity 頁面進行登錄/注銷。

手動單擊 ID4 服務器上的注銷按鈕按預期工作。 用戶登錄到服務器和客戶端。

我可以通過重定向到 ASP.Net Core Indentity 注銷頁面並讓 OnGet 方法調用 _signInManager.SignOutAsync() 來使其工作。 但這對我來說似乎是一個糟糕的解決方案。

閱讀 ID4 文檔、規范以及許多 github 和 SO 帖子，我的客戶端上有以下注銷代碼：

var id_token = (await HttpContext.AuthenticateAsync()).Properties.Items[".Token.id_token"];

await HttpContext.SignOutAsync("Cookies");
await HttpContext.SignOutAsync("oidc");

var redirectUrl = $"{Startup.IdentityServerUrl}/connect/endsession?id_token_hint={id_token}";

return Redirect(redirectUrl);

這是我的客戶的啟動代碼：

  // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        JwtSecurityTokenHandler.DefaultMapInboundClaims = false;

        services.AddAuthentication(options =>
        {
            options.DefaultScheme = "Cookies";
            options.DefaultChallengeScheme = "oidc";
        })
            .AddCookie("Cookies")
            .AddOpenIdConnect("oidc", options =>
            {
                options.Authority = IdentityServerUrl;
                options.RequireHttpsMetadata = false;

                options.ClientId = "testClient1";
                options.ClientSecret = "xxxxxxxxxxxxx";
                options.ResponseType = "code";

                options.SaveTokens = true;
            });


        services.AddRazorPages();


    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Error");
            // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
            app.UseHsts();
        }

        app.UseStaticFiles();

        app.UseRouting();
        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapRazorPages();
            endpoints.MapDefaultControllerRoute()
                .RequireAuthorization();
        });

    }

這是我的 ID4 服務器的啟動代碼：

 public void ConfigureServices(IServiceCollection services)
    {
        var connectionString = Configuration.GetConnectionString("DefaultConnection");

        var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;

        services.AddDbContext<ApplicationDbContext>(options =>
            options.UseSqlServer(connectionString));

        services.AddIdentity<ApplicationUser, IdentityRole>(
           config =>
           {
               config.SignIn.RequireConfirmedEmail = true;
               config.SignIn.RequireConfirmedAccount = true;
               config.User.RequireUniqueEmail = true;
               config.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(5);
               config.Lockout.MaxFailedAccessAttempts = 5;
               config.Lockout.AllowedForNewUsers = true;
           })
               .AddEntityFrameworkStores<ApplicationDbContext>()
               .AddDefaultTokenProviders();



        // these point ID4 to the correct pages for login, logout, etc.
        services.ConfigureApplicationCookie((options) =>
        {
            options.LoginPath = "/Identity/Account/Login";
            options.LogoutPath = "/Identity/Account/Logout";
            options.AccessDeniedPath = "/Error";
        });


        services.AddIdentityServer()
            .AddOperationalStore(options =>
                options.ConfigureDbContext = builder =>
                    builder.UseSqlServer(connectionString, sqlOptions => sqlOptions.MigrationsAssembly(migrationsAssembly)))
            .AddConfigurationStore(options =>
                options.ConfigureDbContext = builder =>
                    builder.UseSqlServer(connectionString, sqlOptions => sqlOptions.MigrationsAssembly(migrationsAssembly)))
            .AddAspNetIdentity<ApplicationUser>()
            .AddDeveloperSigningCredential();

        ConfigureEmailServices(services);

        services.AddRazorPages();


    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
            app.UseDatabaseErrorPage();

            InitializeDbTestData(app);

        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
            // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
            app.UseHsts();
        }

        app.UseHttpsRedirection();
        app.UseStaticFiles();

        app.UseRouting();

        app.UseAuthentication();
        app.UseAuthorization();

        app.UseIdentityServer();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllerRoute(
                name: "default",
                pattern: "{controller=Home}/{action=Index}/{id?}");

            endpoints.MapRazorPages();
        });
    }

Answer 1

對於 idp 注銷，您不需要手動重定向。 簡單地返回一個SignOutResult ，重定向將由 oidc 處理程序通過使用發現端點並正確安裝請求來完成。 將此代碼放在您的注銷方法中：

 return SignOut(new[] { "Cookies", "oidc" });

或者這個其他：

return new SignOutResult(new[] { "Cookies", "oidc" });

如果您想在 idp 注銷后重定向到客戶端，請設置您的 postLogoutRedirectUri。