Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Logout broken after adding partial sign in #3853

Open
tiwari-abhishek opened this issue Sep 10, 2017 · 3 comments
Open

Logout broken after adding partial sign in #3853

tiwari-abhishek opened this issue Sep 10, 2017 · 3 comments
Labels
question

Comments

@tiwari-abhishek
Copy link

tiwari-abhishek commented Sep 10, 2017
edited
Loading

  • [ x] I read and understood how to enable logging

Question / Issue

I am using ADFS over ws-fed from IdentityServer3 for user authentication. I am also intercepting the AuthenticateExternalAsync call to issue a partial login after a user successfully logs in and returns from ADFS.

I perform some validations and then use the below code to resume the login process.

        await ctx.Environment.UpdatePartialLoginClaimsAsync(claims);
        var resumeUrl = await ctx.Environment.GetPartialLoginResumeUrlAsync();
        return Redirect(resumeUrl);

This way login works fine and the user is not intercepted again during the session. However on logout, the redirect to ADFS does not happen. When I try to login again, I notice that I am already logged into ADFS and the AuthenticateExternalAsync is triggered directly without the RedirectToIdentityProvider call.

Am I missing something to setup partial login?
@brockallen
Copy link
Member

Not sure what the issue is. What do the logs say at logout time?

@tiwari-abhishek
Copy link
Author

Hey Brock. I am trying to put together an MFA flow (without ASPNET Identity). Below is how I initiate partial login.

   public override async Task AuthenticateExternalAsync(ExternalAuthenticationContext context)
    {
         // All my users MUST go through MFA only and so 
         // I return from here with just a partial login AuthenticateResult.

        await RunMfaRoutines(context); 
    }

The RunMfaRoutines() method does some non IdentityServer related logic and finally issues a partial authentication context like below:
context.AuthenticateResult = new AuthenticateResult("~/mfa", sub, email,claims);
I am able to know who logged in using:
var user = await ctx.Environment.GetIdentityServerPartialLoginAsync();
The user is sent an MFA token, which is then validated and then I call the below code to resume partial login:

await ctx.Environment.UpdatePartialLoginClaimsAsync(claims);
        var resumeUrl = await ctx.Environment.GetPartialLoginResumeUrlAsync();
        return Redirect(resumeUrl);

The user is successfully logged in. When I try the connect/endsession endpoint, it just ends the identityserver session without triggering an ADFS logout. The "RedirectToIdentityProvider" is not called through the Ws-fed middleware. I still land on the logged out page without any errors though. So next time when I login, the ADFS cookie still exists and after a "RedirectToIdentityProvider" through the Ws-fed middleware, I land into the AuthenticateExternalAsync method again with a logged in user.

The ADFS logout works by itself fine if I don't add the partial login piece, and instead issue a full login context.

There are no exceptions and the logs look fine.

Here are the logs:

09/10/2017 19:11:50 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: Start request https://myidserver/connect/endsession
09/10/2017 19:11:50 -05:00 [Information] IdentityServer3.Core.Endpoints.EndSessionController: Start end session request
09/10/2017 19:11:50 -05:00 [Information] IdentityServer3.Core.Validation.EndSessionRequestValidator: Start end session request validation
09/10/2017 19:11:50 -05:00 [Information] IdentityServer3.Core.Validation.EndSessionRequestValidator: "End session request validation success"
"{
"SubjectId": "xxx-xxx-xxx-xxx-xxx",
"Raw": {}
}"
09/10/2017 19:11:50 -05:00 [Information] IdentityServer3.Core.Endpoints.EndSessionController: End end session request
09/10/2017 19:11:50 -05:00 [Information] IdentityServer3.Core.Results.LogoutResult: Redirecting to logout page
09/10/2017 19:11:50 -05:00 [Debug] IdentityServer3.Core.Configuration.Hosting.MessageCookie`1: Protecting message: "{"Created":636406855109478344}"
09/10/2017 19:11:50 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: End request 302"Found"
09/10/2017 19:11:51 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: Start request https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d
09/10/2017 19:11:51 -05:00 [Information] IdentityServer3.Core.Endpoints.AuthenticationController: Logout prompt for subject: "xxx-xxx-xxx-xxx-xxx"
09/10/2017 19:11:51 -05:00 [Information] IdentityServer3.Core.Endpoints.AuthenticationController: EnableSignOutPrompt set to true, rendering logout prompt
09/10/2017 19:11:51 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: End request 200"OK"
09/10/2017 19:11:51 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: Start request https://myidserver/csp/report
09/10/2017 19:11:51 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: CSP Report endpoint requested
09/10/2017 19:11:51 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: CSP Report data: "{"csp-report":{"blocked-uri":"self","document-uri":"https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d\",\"original-policy\":\"default-src https://myidserver; script-src https://myidserver; style-src https://myidserver 'unsafe-inline'; img-src *; report-uri https://myidserver/csp/report\",\"referrer\":\"\",\"script-sample\":\"onfocusin attribute on DIV element","source-file":"https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d\",\"violated-directive\":\"script-src https://myidserver\"}}"
09/10/2017 19:11:51 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: Rendering 204
09/10/2017 19:11:51 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: End request 204"No Content"
09/10/2017 19:11:51 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: Start request https://myidserver/csp/report
09/10/2017 19:11:51 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: CSP Report endpoint requested
09/10/2017 19:11:51 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: CSP Report data: "{"csp-report":{"blocked-uri":"self","document-uri":"https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d\",\"line-number\":174,\"original-policy\":\"default-src https://myidserver; script-src https://myidserver; style-src https://myidserver 'unsafe-inline'; img-src *; report-uri https://myidserver/csp/report\",\"referrer\":\"\",\"script-sample\":\"call to eval() or related function blocked by CSP","source-file":"https://myidserver/assets/scripts.2.5.0.js\",\"violated-directive\":\"script-src https://myidserver\"}}"
09/10/2017 19:11:51 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: Rendering 204
09/10/2017 19:11:51 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: End request 204"No Content"
09/10/2017 19:11:52 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: Start request https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d
09/10/2017 19:11:52 -05:00 [Information] IdentityServer3.Core.Endpoints.AuthenticationController: Logout endpoint submitted
09/10/2017 19:11:52 -05:00 [Information] IdentityServer3.Core.Endpoints.AuthenticationController: Logout requested for subject: "xxx-xxx-xxx-xxx-xxx"
09/10/2017 19:11:52 -05:00 [Information] IdentityServer3.Core.Endpoints.AuthenticationController: Clearing cookies
09/10/2017 19:11:52 -05:00 [Information] IdentityServer3.Core.Endpoints.AuthenticationController: rendering logged out page
09/10/2017 19:11:52 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: End request 200"OK"
09/10/2017 19:11:53 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: Start request https://myidserver/csp/report
09/10/2017 19:11:53 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: CSP Report endpoint requested
09/10/2017 19:11:53 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: CSP Report data: "{"csp-report":{"blocked-uri":"self","document-uri":"https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d\",\"original-policy\":\"default-src https://myidserver; script-src https://myidserver; style-src https://myidserver 'unsafe-inline'; img-src *; report-uri https://myidserver/csp/report\",\"referrer\":\"https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d\",\"script-sample\":\"onfocusin attribute on DIV element","source-file":"https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d\",\"violated-directive\":\"script-src https://myidserver\"}}"
09/10/2017 19:11:53 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: Rendering 204
09/10/2017 19:11:53 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: End request 204"No Content"
09/10/2017 19:11:53 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: Start request https://myidserver/csp/report
09/10/2017 19:11:53 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: CSP Report endpoint requested
09/10/2017 19:11:53 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: CSP Report data: "{"csp-report":{"blocked-uri":"self","document-uri":"https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d\",\"line-number\":174,\"original-policy\":\"default-src https://myidserver; script-src https://myidserver; style-src https://myidserver 'unsafe-inline'; img-src *; report-uri https://myidserver/csp/report\",\"referrer\":\"https://myidserver/logout?id=7120ca4577c5707551f9735e5921a58d\",\"script-sample\":\"call to eval() or related function blocked by CSP","source-file":"https://myidserver/assets/scripts.2.5.0.js\",\"violated-directive\":\"script-src https://myidserver\"}}"
09/10/2017 19:11:53 -05:00 [Information] IdentityServer3.Core.Endpoints.CspReportController: Rendering 204
09/10/2017 19:11:53 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: End request 204"No Content"
09/10/2017 19:11:53 -05:00 [Information] MyIdentityServer.Core.RequestLogging.RequestLoggingMiddleware: Start request https://myidserver/connect/endsessioncallback?sid=4d4cbad6a095fe1e0297329ae3132b86
09/10/2017 19:11:53 -05:00 [Information] IdentityServer3.Core.Endpoints.EndSessionController: End session callback requested
09/10/2017 19:11:53 -05:00 [Debug] IdentityServer3.Core.Endpoints.EndSessionController: No client end session iframe URLs
09/10/2017 19:11:53 -05:00 [Information] CustomRequestLogging.RequestLoggingMiddleware: End request 200"OK"

@brockallen
Copy link
Member

If you create the login cookie then you need to make sure you set an idp claim so we know internally what external provider to trigger. Perhaps that's it? If not, then I think you'd need to contact me for consulting support to debug.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brockallen @tiwari-abhishek