IdentityServer v3 and “Post Logout Redirect”

One frequently requested feature was the ability to redirect back to the client after logging out of IdentityServer. The session management spec describes this in the “RP-initiated logout” section.

While this is a nice convenience feature and seems trivial to implement, there are some security concerns around the validation of the URL to redirect to after logout is done. This feature could be abused for phishing.

The client first has to prove that it is a legitimate client by sending the original identity token that it received back to the logout endpoint. Furthermore you can now register a list of valid redirect URIs for each client. The request looks like this:

/connect/endsession?
  id_token_hint=<original_id_token>&
  post_logout_redirect_uri=https://client.com&
  state=some_state

How do you preserve the id_token? You need to store it somehow – e.g. using in the authentication cookie during SecurityTokenValidated notification when using the Katana OIDC middleware. You can then use the RedirectToIdentityProvider notification to attach it back on logout:

RedirectToIdentityProvider = async n =>

    {

        // if signing out, add the id_token_hint

        if (n.ProtocolMessage.RequestType ==
             
OpenIdConnectRequestType
.LogoutRequest)

        {

            var idTokenHint =
              n.OwinContext.Authentication.User.FindFirst(
“id_token”
).Value;

            n.ProtocolMessage.IdTokenHint = idTokenHint;

        }

    }

 

There are various ways how you can specify the post logout redirect URI – through the above event handler, statically on the OpenIdConnectAuthenticationOptions, or via the RedirectUri property on the AuthenticationProperties when calling IAuthenticationManager.SignOut.

See this sample here. HTH.

This entry was posted in Uncategorized. Bookmark the permalink.

7 Responses to IdentityServer v3 and “Post Logout Redirect”

  1. Greg Manrodt says:

    What is required on the Identity Server to make this work? For example, using the ASPNET Identity example in GitHub (with some reconfiguration of the client to allow Hybrid and “KatanaClient”), and MVC OWIN Client (Hybrid), I get many exceptions.

    I believe that I have the client configured correctly (maybe not??) but response.AccessToken and response.RefreshToken are both null (the tokenClient.RequestAuthorizationCodeAsync(n.Code, n.RedirectUri); call fails). However, since I don’t really need those values to test the redirect, I have commented them out. The server still doesn’t honor the PostLogoutRedirectUri setting in the OpenIdConnectAuthenticationOptions.

    I was thinking that perhaps the ASP NET Identity example in GitHub is using outdated code, prior to the implementation of support for the logout url?

  2. Andy says:

    How to do it without using app.UseOpenIdConnectAuthentication. OpenId is not available to use on Mono.

  3. Allan says:

    Something that’s not so nice about having to preserve the id_token, is that the cookie become much larger

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s