IdentityServer3 icon indicating copy to clipboard operation
IdentityServer3 copied to clipboard
verified publisher icon IdentityServer

Logout broken after adding partial sign in

Open tiwari-abhishek opened this issue 8 years ago • 3 comments

  • [ x] I read and understood how to enable logging

Question / Issue

I am using ADFS over ws-fed from IdentityServer3 for user authentication. I am also intercepting the AuthenticateExternalAsync call to issue a partial login after a user successfully logs in and returns from ADFS.

I perform some validations and then use the below code to resume the login process.

        await ctx.Environment.UpdatePartialLoginClaimsAsync(claims);
        var resumeUrl = await ctx.Environment.GetPartialLoginResumeUrlAsync();
        return Redirect(resumeUrl);

This way login works fine and the user is not intercepted again during the session. However on logout, the redirect to ADFS does not happen. When I try to login again, I notice that I am already logged into ADFS and the AuthenticateExternalAsync is triggered directly without the RedirectToIdentityProvider call.

Am I missing something to setup partial login?

tiwari-abhishek avatar Sep 10 '17 07:09 tiwari-abhishek

Not sure what the issue is. What do the logs say at logout time?

brockallen avatar Sep 10 '17 20:09 brockallen

Hey Brock. I am trying to put together an MFA flow (without ASPNET Identity). Below is how I initiate partial login.

   public override async Task AuthenticateExternalAsync(ExternalAuthenticationContext context)
    {
         // All my users MUST go through MFA only and so 
         // I return from here with just a partial login AuthenticateResult.

        await RunMfaRoutines(context); 
    }

The RunMfaRoutines() method does some non IdentityServer related logic and finally issues a partial authentication context like below: context.AuthenticateResult = new AuthenticateResult("~/mfa", sub, email,claims); I am able to know who logged in using: var user = await ctx.Environment.GetIdentityServerPartialLoginAsync(); The user is sent an MFA token, which is then validated and then I call the below code to resume partial login:

await ctx.Environment.UpdatePartialLoginClaimsAsync(claims);
        var resumeUrl = await ctx.Environment.GetPartialLoginResumeUrlAsync();
        return Redirect(resumeUrl);

The user is successfully logged in. When I try the connect/endsession endpoint, it just ends the identityserver session without triggering an ADFS logout. The "RedirectToIdentityProvider" is not called through the Ws-fed middleware. I still land on the logged out page without any errors though. So next time when I login, the ADFS cookie still exists and after a "RedirectToIdentityProvider" through the Ws-fed middleware, I land into the AuthenticateExternalAsync method again with a logged in user.

The ADFS logout works by itself fine if I don't add the partial login piece, and instead issue a full login context.

There are no exceptions and the logs look fine.

Here are the logs:

09/10/2017 19:11:50 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: Start request https://myidserver/connect/endsession 09/10/2017 19:11:50 -05:00 [Information] IdentityServer3.Core.Endpoints.EndSessionController: Start end session request 09/10/2017 19:11:50 -05:00 [Information] IdentityServer3.Core.Validation.EndSessionRequestValidator: Start end session request validation 09/10/2017 19:11:50 -05:00 [Information] IdentityServer3.Core.Validation.EndSessionRequestValidator: "End session request validation success" "{ "SubjectId": "xxx-xxx-xxx-xxx-xxx", "Raw": {} }" 09/10/2017 19:11:50 -05:00 [Information] IdentityServer3.Core.Endpoints.EndSessionController: End end session request 09/10/2017 19:11:50 -05:00 [Information] IdentityServer3.Core.Results.LogoutResult: Redirecting to logout page 09/10/2017 19:11:50 -05:00 [Debug] IdentityServer3.Core.Configuration.Hosting.MessageCookie`1: Protecting message: "{"Created":636406855109478344}" 09/10/2017 19:11:50 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: End request 302"Found" 09/10/2017 19:11:51 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: Start request https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d 09/10/2017 19:11:51 -05:00 [Information] IdentityServer3.Core.Endpoints.AuthenticationController: Logout prompt for subject: "xxx-xxx-xxx-xxx-xxx" 09/10/2017 19:11:51 -05:00 [Information] IdentityServer3.Core.Endpoints.AuthenticationController: EnableSignOutPrompt set to true, rendering logout prompt 09/10/2017 19:11:51 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: End request 200"OK" 09/10/2017 19:11:51 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: Start request https://myidserver/csp/report 09/10/2017 19:11:51 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: CSP Report endpoint requested 09/10/2017 19:11:51 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: CSP Report data: "{"csp-report":{"blocked-uri":"self","document-uri":"https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d","original-policy":"default-src https://myidserver; script-src https://myidserver; style-src https://myidserver 'unsafe-inline'; img-src *; report-uri https://myidserver/csp/report","referrer":"","script-sample":"onfocusin attribute on DIV element","source-file":"https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d","violated-directive":"script-src https://myidserver"}}" 09/10/2017 19:11:51 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: Rendering 204 09/10/2017 19:11:51 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: End request 204"No Content" 09/10/2017 19:11:51 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: Start request https://myidserver/csp/report 09/10/2017 19:11:51 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: CSP Report endpoint requested 09/10/2017 19:11:51 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: CSP Report data: "{"csp-report":{"blocked-uri":"self","document-uri":"https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d","line-number":174,"original-policy":"default-src https://myidserver; script-src https://myidserver; style-src https://myidserver 'unsafe-inline'; img-src *; report-uri https://myidserver/csp/report","referrer":"","script-sample":"call to eval() or related function blocked by CSP","source-file":"https://myidserver/assets/scripts.2.5.0.js","violated-directive":"script-src https://myidserver"}}" 09/10/2017 19:11:51 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: Rendering 204 09/10/2017 19:11:51 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: End request 204"No Content" 09/10/2017 19:11:52 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: Start request https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d 09/10/2017 19:11:52 -05:00 [Information] IdentityServer3.Core.Endpoints.AuthenticationController: Logout endpoint submitted 09/10/2017 19:11:52 -05:00 [Information] IdentityServer3.Core.Endpoints.AuthenticationController: Logout requested for subject: "xxx-xxx-xxx-xxx-xxx" 09/10/2017 19:11:52 -05:00 [Information] IdentityServer3.Core.Endpoints.AuthenticationController: Clearing cookies 09/10/2017 19:11:52 -05:00 [Information] IdentityServer3.Core.Endpoints.AuthenticationController: rendering logged out page 09/10/2017 19:11:52 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: End request 200"OK" 09/10/2017 19:11:53 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: Start request https://myidserver/csp/report 09/10/2017 19:11:53 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: CSP Report endpoint requested 09/10/2017 19:11:53 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: CSP Report data: "{"csp-report":{"blocked-uri":"self","document-uri":"https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d","original-policy":"default-src https://myidserver; script-src https://myidserver; style-src https://myidserver 'unsafe-inline'; img-src *; report-uri https://myidserver/csp/report","referrer":"https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d","script-sample":"onfocusin attribute on DIV element","source-file":"https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d","violated-directive":"script-src https://myidserver"}}" 09/10/2017 19:11:53 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: Rendering 204 09/10/2017 19:11:53 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: End request 204"No Content" 09/10/2017 19:11:53 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: Start request https://myidserver/csp/report 09/10/2017 19:11:53 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: CSP Report endpoint requested 09/10/2017 19:11:53 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: CSP Report data: "{"csp-report":{"blocked-uri":"self","document-uri":"https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d","line-number":174,"original-policy":"default-src https://myidserver; script-src https://myidserver; style-src https://myidserver 'unsafe-inline'; img-src *; report-uri https://myidserver/csp/report","referrer":"https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d","script-sample":"call to eval() or related function blocked by CSP","source-file":"https://myidserver/assets/scripts.2.5.0.js","violated-directive":"script-src https://myidserver"}}" 09/10/2017 19:11:53 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: Rendering 204 09/10/2017 19:11:53 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: End request 204"No Content" 09/10/2017 19:11:53 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: Start request https://myidserver/connect/endsessioncallback?sid=4d4cbad6a095fe1e0297329ae3132b86 09/10/2017 19:11:53 -05:00 [Information] IdentityServer3.Core.Endpoints.EndSessionController: End session callback requested 09/10/2017 19:11:53 -05:00 [Debug] IdentityServer3.Core.Endpoints.EndSessionController: No client end session iframe URLs 09/10/2017 19:11:53 -05:00 [Information] CustomRequestLogging.RequestLoggingMiddleware: End request 200"OK"

tiwari-abhishek avatar Sep 11 '17 01:09 tiwari-abhishek

If you create the login cookie then you need to make sure you set an idp claim so we know internally what external provider to trigger. Perhaps that's it? If not, then I think you'd need to contact me for consulting support to debug.

brockallen avatar Nov 04 '17 15:11 brockallen